In a major international operation, enforcement agencies from eight different countries have arrested a total of 12 suspects. They are probably part of an international ransomware gang that targeted targets vital infrastructure. They are estimated to have killed more than 1,800 in 71 countries.
That letter is from Europol and the police in a press statement.
Police seize cash and data carriers
In the early morning of Tuesday, October 26, police from Switzerland and Ukraine raided the homes of the suspects. When the homes were searched, the police seized more than 52,000 euros in cash, as well as five luxury vehicles, expensive watches and data carriers such as laptops and smartphones. Traces were found that indicate that the suspects were involved in spreading ransomware. The police also found clues on the devices that could lead enforcement authorities to the money earned by the criminals.
A total of 55 detectives travelled to Ukraine to support the local police, including four Dutch digital specialists. They helped secure the data carriers they found in the suspects’ homes. In addition to Ukraine, Switzerland and the Netherlands, enforcement agencies from Norway, France, Germany, the US and the UK also took part in the action.
This operation was carried out within the framework of the European Multidisciplinary Platform against the Threat of Crime (EMPACT). Europol facilitated the exchange of information between the police forces. Eurojust manned the coordination centre to facilitate international cooperation.
This is how the suspects proceeded
They consider the suspects arrested by the police as valuable targets: they are wanted in several countries for their part in various high-profile cases. According to Europol, they each played their own role in the ‘professional, well-organized criminal organization’. Some went out of their way to infiltrate corporate networks, including by performing brute force attacks or SQL injections. They also tried to infiltrate with stolen passwords and phishing emails with malicious attachments.
Once inside, the suspects tried to settle into as many systems as possible. This is also known as the lateral phase of a cyber attack. Using malware like Trickbot and post-exploitation frameworks like Cobalt Strike and PowerShell Empire, the perpetrators tried to go undetected and gain further access. In this way, they could sometimes spend months snooping around IT systems, looking for vulnerabilities and then deploying ransomware such as LockerGoga, MegaCortex and Dharma.
Victims received a ransom note from the attackers, asking for unknown amounts in exchange for the decryptor or decryption key. The ransom amounts had to be transferred in bitcoin to the hackers’ bank accounts. The police suspect that a number of suspects are guilty of money laundering.
Dutch police plead for more international cooperation
The Dutch police were also involved in the investigation. In March 2019, the Cybercrime Team of the Rotterdam Unit and the National Cyber Security Center (NCSC) started the investigation into the ransomware gang after being reported by a multinational. After some time, the High Tech Crime Team took over the investigation. The main aim was to map out criminal associations and to gather knowledge about their working methods. The team also mapped bitcoin payments and warned hundreds of potential victims worldwide.
According to Andy Kraag, head of the National Criminal Investigation Service of the National Unit, cybercriminals often manage to stay under the radar for a long time. In this way, they cause a lot of damage to citizens, companies and government services. “These groups may be less violent than drug criminals, but they are capable of disrupting our society. Ransomware attacks are really a potential danger for everyone. So there is every reason for us to fully focus on this”, says Kraag.
Public Prosecutor Wieteke Koorn proves in this case that international cooperation is crucial to take action against hackers. Malicious persons are carrying out targeted attacks to demand ransom. Intensive investigative work far beyond national borders shows that the police and the judiciary can also tackle these cybercriminals.”
Catch up on more articles here
Follow us on Twitter here