A joint international law enforcement operation led by the European Union Agency for Law Enforcement Cooperation and the European Union Agency for Criminal Justice Cooperation has led to the arrest of five people allegedly running a ransomware group from Ukraine.

Those arrested included a 32-year-old man who is alleged to have been the ringleader of the gang, along with four accomplices.

The unnamed gang, which from descriptions may have been operating as an affiliate for other ransomware groups under a ransomware-as-a-service model, is claimed to have deployed LockerGoga, MegaCortex, HIVE and Dharma ransomware, among others, to carry out the attacks.

Those arrested are said to have had different roles in the organization. Some are said to have been involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Those compromising networks did so through brute-force attacks, SQL injections and sending phishing emails with malicious attachments to steal usernames and passwords. Having illegally gained access to potential victims, the group then deployed tools, including TrickBot, Cobalt Strike and PowerShell Empire, to compromise as many systems on a compromised network as possible before deploying ransomware.

The ransomware group is believed to have deployed attacks against organizations in 71 countries across over 250 servers, “resulting in losses exceeding several hundreds of millions of euros,” according to a statement from Europol.

Law enforcement authorities involved in the operation included officers from Norway, France, the Netherlands, Germany, Switzerland, Ukraine, the EU and the U.S. In the case of the U.S., the Federal Bureau of Investigation and the Secret Service participated in the operation.

Commenting on the arrests, Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE that it’s “nice to see coordinated efforts being used to take down criminal groups such as ransomware gangs.”

“Oftentimes, the red tape surrounding operations to takedown cybercriminals can be nearly impossible to get through, however, coalitions such as this can have a significant and positive impact on clearing those hurdles,” Kron added. “Once again, the group’s tactics are a lesson for organizations to secure themselves against the common types of initial network access attacks, including credential brute force attacks, SQL injection attacks and phishing emails, which can not only lead to ransomware but also other types of cybercrime.”

Photo: Europol