A series of raids conducted across Ukraine has seen law enforcement officers from the Ukrainian National Police, Europol, Norway, France, Germany, and the USA arrest five members of a ransomware gang which has compromised many organisations across 71 different countries.
On the 21st November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the 32-year-old ringleader and four other members of the gang who have allegedly been responsible for the LockerGoga, MegaCortex, HIVE and Dharma ransomware.
The raids follows an initial set of arrests back in 2021 as part of the same investigation. Since those raids, a number of operational sprints have been organised at Europol and in Norway with the aim of forensically analysing the devices seized in Ukraine in 2021. The forensic work facilitated the identification of the suspects targeted during this latest set of raids.
International effort
In September 2019, a joint investigation team was established between Norway, France, the UK and Ukraine, with financial support from Eurojust. These law enforcement teams have been working in parallel with the independent investigations of the Dutch, German, Swiss and U.S. authorities, to locate the threat actors in Ukraine and seek arrests.
The forensic analysis carried out on devices recovered in the investigation has allowed the Swiss authorities, Bitdefender, and the No More Ransom partners to develop decryption tools for the LockerGoga and MegaCortex ransomware variants. These decryptions tools have now been made available for free on: www.nomoreransom.org
The Ukrainian National Police has released some images of the raids and some information about the gangs activities via the Website of the Ukrainian National Police.
It was established that over several years of criminal activity, criminals encrypted more than 1,000 servers of global enterprises and caused losses in the amount of more than 3 billion hryvnias in national currency.
During the raids, computer equipment, cars, bank and SIM cards, “draft” records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets.
Europol has also released a video of the raids which shows one suspect climbing on a rooftop to try to evade capture, and one other suspect who appeared to be having a quiet evening alone semi-naked, with a laptop and a roll of tissue – I’m sure he was the most surprised at the interuption.