Five law enforcement agencies today announced the arrest of two ransomware operators who, starting on April 20, allegedly conducted a string of targeted attacks against large industrial organizations in Europe and North America.
The arrest was made in Ukraine on September 28 by the French National Cybercrime Centre of the National Gendarmerie, the Cyber Police Department of the National Police of Ukraine, the FBI Atlanta Field Office, Europol, and Interpol.
A Europol release states the arrests led to the seizure of US$375,000 in cash and two luxury vehicles worth €217,000 (US$252,116), as well as the freezing of $1.3 million in cryptocurrency.
Ukrainian authorities said the suspects were responsible for attacks against more than 100 organizations worldwide and caused more than $150 million in damages.
As of Monday afternoon, the identity of the ransomware gang was not disclosed. Europol said the ransomware operators were known for their lofty ransom demands, which in some cases hit €70 million (US$81.3 million).
Like many other ransomware gangs, these operators would deploy malware and steal sensitive data from their victims before encrypting files. They would then offer a decryption key in return for a ransom payment, adding to the extortion by threatening to leak the stolen data on the Dark Web if the victims refused to meet their demands.
This bust was significant because the threat actors were arrested in Ukraine, which the industry often views as a relatively safe haven for cybercrime, says Jake Williams, co-founder and CTO at BreachQuest.
"This is almost certain to throw a monkey wrench in other ransomware-as-a-service operations," says Williams. "Some operators will worry about information compromised in this bust, while others are re-evaluating the relative safety of their physical operations, especially if they’re operating in Ukraine."
Ukraine has some of the best software developers in the world, so it’s no surprise that a few of them turn their skills to illicit activities, said Gurucul CEO Saryu Nayyar. This was important because it’s often very difficult to secure the support of governments in some eastern European countries for cyberattacks that don’t necessarily affect them, he says.
"So the use of Ukraine police resources, France, Europol, Interpol, and the FBI working together to corral two separate ransomware operations represents a real success for international law enforcement, as well as a shot across the bow of current and future ransomware attackers," Nayyar says. "More efforts along these lines should help reduce the instances of ransomware attacks against organizations simply going about their business."
Stefano De Blasi, cyber threat intelligence analyst at Digital Shadows, says the suspects reportedly compromised their victims via spear-phishing campaigns and targeting remote working tools such as Remote Desktop Protocol (RDP) and virtual private networks (VPNs). This highlights how social engineering remains a vital access vector for threat actors, he says, as human curiosity is often exploited to bypass technological defenses. The use of RDP and VPNs to compromise organizations suggests the suspects have likely gained access to victims by purchasing initial access broker (IAB) listings on cybercriminal forums and marketplaces, De Blasi adds.
"Ukrainian police said that the suspects had an accomplice who helped the group launder money gained from illicit means," De Blasi says. "The use of individuals skilled in laundering money has been a significant factor in the development of ransomware groups into an effective criminal business model. Although law enforcement agencies have not named the ransomware gang behind this operation, it's unclear what extent the operation will have on the group in question or on the wider ransomware ecosystem."
Eddy Bobritsky, CEO at Minerva Labs, says his team believes the bust represents a very good step in fighting cybercriminals, and they are very curious about the identity of the two operators.
"Some speculate it might be REvil gang, but at the moment we have no information regarding the subject," Bobritsky says. "We are pleased to see that serious steps are being taken in defending companies from cyberattacks, but of course it's not enough, and every company must protect themselves against potential cyberattacks by preventing an attack before the initial stage even starts."
Tim Wade, technical director of the CTO team at Vectra, adds there are two sides of the coin when it comes to disincentivizing ransomware activities. First, is the matter of how organizations can protect themselves and what investments in people, process, and technology they're making to increase their resilience against the sort of disruption that ransomware represents, he says.
"But coordinated law enforcement is the other half of that coin," Wade says. "And these arrests signal that when it comes to recent proclamations about the unacceptability of ransomware, there’s some bite to the bark."