Europol said that they detained 12 suspects this week, which is believed to be part of a professional criminal group that has planned a long list of ransomware attacks against large companies that have been attacked since 2019. More than 1,800 victimized entities in 71 countries. The suspects were detained in Ukraine and Switzerland on Tuesday, October 26.
“Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said in a press release today. “Some of these criminals are dealing with infiltrations, using multiple mechanisms to disrupt IT networks, including brute force attacks, SQL injections, theft of login credentials and sending phishing emails with malicious attachments.”
Europol said that once it enters a network, the organization will spend several months detecting weaknesses in order to expand their reach.
The organization usually deploys and spreads malware such as TrickBot, or post-development frameworks such as Cobalt Strike or PowerShell Empire to keep it undetected and gain further access.
The organization also operates externally and is suspected to be an affiliate of multiple ransomware-as-a-service (RaaS) platforms. It has used different ransomware families, such as LockerGoga, MegaCortex, and Dharma.
Europol said that some of the arrests this week also included people who helped the organization launder money after the victim paid the ransom.
According to a press release from the Norwegian police criminal investigation department Kripos, the 12 suspects are believed to have orchestrated the ransomware attack on Norsk Hydro, a Norwegian aluminum processing company, in March 2019. The ransomware attack forced the company to operate on two continents. The factory stopped production for nearly a week.
Europol stated that law enforcement agencies from Norway, France, the United Kingdom, Switzerland, Germany, Ukraine, the Netherlands and the United States participated in this week’s arrests and investigations.
“More than 50 foreign investigators, including 6 Europol experts, were deployed to Ukraine on the day of operations to assist the national police in joint investigation measures. A Ukrainian cyber policeman was also seconded to Europol for two months. Prepare for the action day,” Europol said.
Before this week’s arrests, two ransomware operators were also detained in Ukraine earlier this month, and six suspects for laundering money for the Clop ransomware group were also detained in Ukraine in June.