High-profile ransomware gang suspects arrested in Ukraine

Jason Macuray
Law enforcement officers from seven countries said they have arrested key members of a high-profile ransomware gang that was operating from Ukraine.

Law enforcement officers from seven countries said they have arrested key members of a high-profile ransomware gang that was operating from Ukraine.

Since 2018, the group’s members have encrypted over 1,000 servers of large enterprises worldwide, causing at least $82 million in damages, according to Ukrainian police. The hackers demanded ransom payments in cryptocurrency.

Among the gang’s victims is “one of the leading chemical companies in the Netherlands,” the police said, without identifying it. The cybercriminals charged it $1.3 million, but it is not clear whether the company paid the ransom.

During the large-scale operation, carried out amid the ongoing war in Ukraine, more than 20 investigators from several European countries, as well as Canada and the U.S., arrested the alleged 32-year-old ringleader and the four most active accomplices. The authorities did not release their names.

These cybercriminals are known for the deployment of LockerGoga, MegaCortex, Hive and Dharma ransomware variants to carry out their attacks, according to the statement by Europol. Police said the operation essentially dismantled the gang.

To get into victims’ computers, the hackers sent phishing emails with malicious attachments, aiming to steal usernames and passwords; they also conducted brute force attacks, where cybercriminals attempt to guess all possible password combinations until they find the correct one.

Once inside networks, the attackers remained undetected and gained additional access using tools such as TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks, the investigators said.

This was the second wave of arrests after 12 individuals accused of being part of the same group were apprehended in Ukraine in 2021 after an investigation of ransomware attacks against critical infrastructure. The devices seized during the previous operation helped the police officers identify other suspected members of the gang.

Last week, the police searched apartments in four Ukrainian cities, including the capital, Kyiv. The investigators operating on the ground were receiving help from Europol’s headquarters in the Netherlands, where a virtual command post immediately analyzed the data seized during the searches in Ukraine.

The police also seized the suspects’ computer equipment, cars, bank and SIM cards, dozens of electronic devices, as well as thousands of dollars and cryptocurrency assets.

The suspects had different roles in this criminal organization: Some of them were involved in compromising the IT networks of their targets, while others were suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Senate proposes surveillance bill without FBI warrant requirement

Next Post

North Texas water utility serving 2 million hit with cyberattack

Related Posts

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

A new report from XM Cyber has found – among other insights - a dramatic gap between where most organizations focus their security efforts, and where the most serious threats actually reside. The new report, Navigating the Paths of Risk: The State of Exposure Management in 2024, is based on hundreds of thousands of attack path assessments conducted by the XM Cyber
Read More

Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions

Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. "This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could've executed commands and modified the settings of millions of modems, accessed any business customer's
Read More