Europol Announces 12 Individuals Tied to Ransomware Attacks Were Identified and Interrogated

• A multinational taskforce has initiated a crackdown on 12 international cybercrime suspects targeting critical infrastructure with ransomware attacks.
• The actors are know for launching attacks against large corporations, which is believed to have affected more than 1,800 victims in over 70 countries.
• The taskforce moved against these individuals on October 26 and seized digital devices, currency, and luxury vehicles.

Europol announced eight countries participated in an operation that identified 12 individuals related to ransomware attacks targeting critical technology infrastructure in 71 countries. As a result of these attacks, it is believed over 1,700 victims have been affected. On October 26, the European Multidisciplinary Platform Against Criminal Threats (EMPACT) and 50 foreign investigators in Ukraine and Switzerland managed to seize over $52,000 in cash and five luxury vehicles, and several electronic devices are analyzed for evidence and new leads. 

Most of the 12 suspects have been linked to multiple high-profile cases, making them high-value targets for law enforcement in different jurisdictions. All these individuals had various roles in multiple professional criminal organizations, and some were part of the actions to penetrate and compromise IT networks through stolen credentials, brute force attacks, SQL injections, and malware-injecting attachments via phishing emails.

They also moved laterally to install malware like Trickbot or use Cobalt Strike or PowerShell Empire to have a minimal digital footprint and derive more data. The actors would continue probing for other weaknesses after the penetration and then proceed to deploy ransomware in order to monetize it.

Since they remained undetected in the compromised networks, sometimes even for several months, the effects of the ransomware attack were devastating for these big companies, sometimes leading them to a halt. Some of the ransomware used by the suspects include LockerGoga, MegaCortex, and Dharma ransomware.

The ransomware note asked for Bitcoin payments and Europol believes some of the interrogated suspects were taking care of the ransom payments by moving the crypto through mixing services to erase digital traces before cashing out the money.

The operation was conducted under the French joint investigation team (JIT) established in September 2019, and it collaborated with Norway, France, the United Kingdom, and Ukraine. Since then, it has linked Europol and Eurojust to further its investigations and later collaborated with Dutch and U.S. authorities as well. In this specific operation, among the participating authorities were the US Secret Service and FBI, the UK Scotland Police and NCA, Germany's Police Headquarters Reutlingen, and Norway's National Criminal Investigation Service (Kripos).