Skip to content

Illustration by Security Management

Officials Arrest 12 Alleged Ransomware Actors Suspected of Attacking Critical Infrastructure

Officials arrested 12 individuals in Ukraine and Switzerland on 26 October for their alleged role in carrying out ransomware attacks against critical infrastructure, Europol announced on Friday. 

The individuals are suspected to be involved in attacks in 71 countries on more than 1,800 victims—mostly large corporations. Europol did not release the individuals’ names but did confirm it seized more than $52,000 in cash, five luxury vehicles, and several electronic devices during the raids.

“The targeted suspects all had different roles in these professional, highly organized criminal organizations,” Europol said. “Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials, and phishing emails with malicious attachments.”

Once they gained access to a network, the criminals would attempt to move laterally within it while remaining undetected and gaining further access. They would maintain their presence in the compromised systems—sometimes for months—before deploying ransomware, including LockerGoga, MegaCortex, and Dharma.

“The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected,” Europol said. “A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys.”

Along with being suspected of cybercrime, some of the individuals arrested are also suspected of laundering the ransom payments.

Europol and Eurojust oversaw the international cooperation for the Tuesday raids, but the investigation effort was launched in France in September 2019 with members from France, the United Kingdom, and Ukraine. They also began working with independent investigations being conducted by Dutch and U.S. authorities.

“More than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the action day to assist the National Police with conducting joinly investigative measures,” Europol said. “A Ukrainian cyber police officer was also seconded to Europol for two months to prepare for the action day.”

The raid and arrests come at a time when officials are facing increased pressure to penalize ransomware groups for their activity. So far, many ransomware threat actors have not faced prosecution for their crimes because they often live in a different country from where the crime was committed and would require international cooperation for arrests and extradition. Officials are also looking to act because ransomware gangs are changing their tactics to target critical infrastructure, such as the Colonial Pipeline, the agriculture sector, and more. 

Regulators are also facing pressure to take action to limit the use of cryptocurrency, which is increasingly used to pay ransoms. On Thursday, the Financial Action Task Force (FATF) recommended governments broaden their regulatory oversight of cryptocurrency firms to require them to check identities of their customers and report suspicious transactions. 

“The FATF’s guidelines don’t have the force of law, and would need to be implemented by national regulators in each country,” The Wall Street Journal reports. “Still, the Paris-based group is influential in setting standards for government policies against money laundering and financing of terrorism, and its guidelines cold shape new crypto regulations around the world. More than three dozen countries are FATF members, including the U.S., China, and much of Europe.” 

In September 2021, the United States imposed the first sanctions on a cryptocurrency exchange—Suex—for facilitating transactions with proceeds from at least eight ransomware incidents.

The U.S. Treasury Department “offered few details about Suex, declining to say where the company was based or what kinds of transactions it dealt with, though a Russian computer executive confirmed on Tuesday that he was the founder,” according to The New York Times. “Treasury officials did say that while some virtual currency exchanges are exploited by criminals, Suex was facilitating illegal activities for its own gain.”