Law enforcement officials from seven countries, in cooperation with Europol, arrested five individuals suspected of being members of a ransomware group linked to attacks against organizations in 71 countries. The arrests took place last week after searches of more than 30 properties in Ukraine.
The 32-year-old gang leader and four of his “most active” accomplices were detained. Authorities have not revealed their names.
More than 20 investigators from Norway, France, Germany and the U.S. collaborated with Ukrainian police in the action. Europol, the European law enforcement agency, has set up a virtual command center in the Netherlands to process the data collected during searches.
In addition to the arrests, agents seized computers, cars, bank cards, phone chips, and dozens of electronic media items, as well as other evidence. Cryptocurrencies and $110,000 in Ukrainian currency were also confiscated.
Quadrille used varied techniques
According to the investigation, criminals have paralyzed the operations of large companies, using ransomware such as LockerGoga, MegaCortex, Hive, and Dharma. “After remaining on the compromised systems undetected, sometimes for months, the criminals would install different types of ransomware,” says Eurojust, the European Union’s agency for judicial matters.
“A ransom demand was then presented to the victims, asking for payment in bitcoins in exchange for the encryption keys,” the agency adds.
The gang members had different functions: while some hacked into networks, others laundered the money obtained from the ransoms. The intrusions were done through techniques such as brute force, SQL injection attacks, and phishing emails with malicious attachments.
After entering the systems, they used tools such as TrickBot, Cobalt Strike, and PowerShell Empire to move laterally, infecting other computers on the same network.
Gang hacked more than 250 servers
Investigators believe the arrested group was responsible for encrypting more than 250 servers of major companies, extorting “hundreds of millions of euros” from victims.
In addition to the arrests, the Europol investigation made it possible for authorities in Switzerland to create a tool to crack the encryption used by the LockerGoga and MegaCortex ransomware. Thus, victims can regain access to their files without losing any money.