Ukraine Police Bust Ransomware Suspects Tied to 50 AttacksVictims in US and Europe Lost Over $1 Million; Ransomware Distributed via Spam Email
Police in Ukraine have arrested five individuals on suspicion of using ransomware to extort more than 50 companies across the United States and Europe.
Authorities say the group's alleged ringleader, a 36-year-old resident of Ukraine's capital city of Kyiv - formerly known as Kiev - was arrested together with his wife and three alleged accomplices.
The National Police of Ukraine's cyber division says that "according to preliminary estimates, more than 50 companies were affected by the attacks, with the total amount of damage reaching more than $1 million."
Police did not name any of the suspects or the type of ransomware they allegedly wielded. News of the arrests was first reported by threat intelligence firm Recorded Future's The Record news site.
As part of the operation, Ukrainian law enforcement agents, together with U.K. and U.S. agents, conducted nine searches of suspects' homes and cars, seizing "computer equipment, mobile phones, bank cards, flash drives and three cars," authorities say.
The suspects have also been accused of providing an IP-changing service to criminals, allowing them "to carry out illegal activities covertly," police say.
Authorities say the service was akin to an illicit VPN offering on steroids. "They administered the service from home personal computers, and in order to avoid responsibility for their illegal activities they disguised themselves under various nicknames on the darknet network," says the Security Service of Ukraine, which is also known as the SBU.
International hacking groups were among the users of the service, the SBU says, to help them steal confidential information from government agencies and businesses, distribute ransomware and demand a ransom payment, and launch distributed denial-of-service attacks.
At least one of the defendants is also wanted in another country - while not named by authorities, it would appear to be the U.K. - for allegedly using malware to steal bank details from British residents, buy goods and then resell those goods to make an illicit profit.
Ukraine's investigation remains ongoing. At least so far, however, the suspects have been charged with unauthorized access to computers, distributing malicious software and money laundering.
Cybercrime Crackdowns in Ukraine
The arrests announced Thursday represent at least the seventh major cybercrime crackdown effort undertaken by Ukrainian authorities since the start of 2021.
Previous efforts have targeted:
- Emotet: In January 2021, an international law enforcement operation disrupted the Emotet botnet, with arrests in Ukraine and the U.S., backed by police in the U.K., the Netherlands, Germany, France, Lithuania and Canada.
- Egregor: In February 2021, multiple individuals suspected of being affiliates of the Egregor ransomware-as-a-service operation were arrested in Ukraine, in an operation also involving French authorities.
- Conti: In May 2021, following the Conti group's attack against Ireland's Health Service Executive, Interpol facilitated the "identification and takeover of the attackers' command-and-control server in the Ukraine," Interpol Director of Cybercrime Craig Jones said at a conference last month.
- Clop: In June 2021, police in Ukraine announced they had arrested six suspected members of the Clop ransomware operation, in a law enforcement effort dubbed Operation Cyclone and backed by South Korea and the U.S.
- Exchanges: In August 2021, Ukrainian police shuttered multiple allegedly illegal cryptocurrency exchanges in the country processing about $1.1 million in virtual currency transactions each month, at least some of which were allegedly for money laundering purposes.
- Ransomware: In October 2021, police in Ukraine arrested two members of a ransomware gang they said had attempted to extort up to $80 million from individual victims. The name of the ransomware operation, which allegedly earned more than $150 million from attacking victims, was not released.