Woman in handcuffs behind bank notes showing law enforcement arrest of suspects for ransomware attacks

Europol Arrested 12 High-valued Suspects Responsible for Over 1,800 Ransomware Attacks on Critical Infrastructure in 71 Countries

Europol detained 12 individuals involved in over 1,800 ransomware attacks affecting victims in 71 countries, according to Europol’s press release.

The suspects are considered high high-value targets and are being investigated in multiple high-profile cases in various jurisdictions.

Europol agents seized valuables that could be the proceeds of cybercrime during the raids. They included a stash of $52,000 in cash, five luxury vehicles, and several electronic devices, including mobile phones possibly used in the attacks.

The devices were currently undergoing forensic analysis that could allow the authorities to identify more potential leads. Ukrainian police posted on YouTube the footage recorded during the operation.

Detained suspected hackers belonged to a ransomware-as-a-service platform

Europol says that the suspects had different roles in the cybercrime enterprise, including penetration testing, brute force attacks, SQL injection, phishing emails, malicious attachments, and stolen credentials.

Others specialized in lateral movement across networks and deploying Trickbot and post-exploitation frameworks like Cobalt Strike or PowerShell Empire to escalate privileges.

“The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetizing the infection by deploying a ransomware,” Europol explained.

According to Europol, the individuals were affiliates of a ransomware-as-a-service (RaaS) platform used to deploy ransomware strains such as LockerGoga, MegaCortex, and Dharma, among others.

They targeted large corporations, effectively shutting down their operations through ransomware attacks and demanding ransom payments in exchange for decryption keys.

Some of the individuals were investigated for money laundering by cashing Bitcoins obtained from successful ransomware attacks by channeling them through cryptocurrency mixing services.

Several ransomware attacks were attributed to the detained suspected hackers

Investigative authorities implicated the 12 individuals in the March 2019 Norwegian aluminum processor Norsk Hydro ransomware attack involving the LockerGoga variant.

During the attack, the company incurred $50 million in losses after shutting down operations for a week across multiple countries on two continents. The group was also responsible for the January 2019 attack on the French group Altran.

Ukrainian authorities had earlier detained eight more suspects involved in ransomware attacks, including six individuals who laundered money for the Clop ransomware gang.

Cybercrime takedown involved international coordination and planning

Cybercrime gangs received law enforcement authorities’ attention after consecutive high-profile ransomware attacks on U.S. critical infrastructure.

The coordinated operation took place in Ukraine and Switzerland on October 26, 2021. It was carried under the auspices of the European Multidisciplinary Platform Against Criminal Threats (EMPACT) and involved more than 50 foreign investigators.

In September 2019, French authorities formed a joint investigation team (JIT) involving Norway, France, the United Kingdom, and Ukraine with Financial assistance from Eurojust.

Six Europol specialists were deployed to assist the Ukrainian National Police with the investigations. Similarly, one Ukrainian cyber police officer was sent to Europol for two months in preparation for the operation.

Europol did not release the names of the suspects but confirmed that there were judicial proceedings against them. They face up to 12 years behind bars for their alleged involvement in the cybercrime empire.