Ukraine Busts 2 Suspects Tied to Major Ransomware Group$150 Million in Worldwide Losses Tied to Unnamed Ransomware Operation and Suspects
Police in Ukraine have arrested two members of a ransomware gang they say has attempted to extort up to $80 million from individual victims.
Ukrainian National Police say those arrests occurred Tuesday, together with searches of seven residences, including the homes of the two suspects and their close relatives. Police also seized computing devices, vehicles and more than $360,000 in cash, and froze $1.3 million worth of cryptocurrency controlled by the suspects.
Officials have not named the ransomware group with which the suspects allegedly worked, which they say has been tied to at least $150 million in damages.
"The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files," Europol says. "They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met."
Ukrainian police announced the arrests on Monday. They say one of the suspects - an unnamed 25-year-old - gained remote access to victims' networks in some cases by subverting their own remote access tools, and in other cases by using spam to distribute malware that infected targets.
A video released by Ukrainian police shows officers gaining entry to the suspect's residence and then using digital forensic investigation tools to analyze multiple Apple laptops and a PC tower, and gathering as evidence those devices, hard drives, smartphones and other devices. A search of the premises also revealed a large quantity of $100 bills being stored in a Louis Vuitton box.
"In total, the hacker attacked more than 100 companies in North America and Europe," says Ukraine's cyber police team. "Among the victims were world-famous energy and tourism companies, as well as equipment developers. The hacker demanded a ransom to restore access to encrypted data."
Not Named: Suspects or Ransomware Group
It's not clear if the suspects might allegedly be core members of the group or else ransomware-as-a-service operation affiliates. Such individuals take crypto-locking malware provided by a group, use it to infect victims, and receive a cut of any ransom the victim might pay.
Based on Europol's description of the ransomware group, which it says has issued individual extortion demands that range from $6 million to $80 million, as well as targeted device manufacturers, the suspects could be tied to the REvil - aka Sodinokibi - operation, which first appeared in April 2019.
Ransomware Family Detections
Citing operational reasons, Europol says it won't yet be naming the ransomware group, due to an ongoing investigation. "As you can very well imagine, the investigators are now working on the evidence seized during the house searches," Europol spokeswoman Claire Georges tells Information Security Media Group.
As noted, Ukrainian police have described one of the arrested suspects as being a 25-year-old hacker. Police say the other suspect is "an accomplice who helped to withdraw money obtained by criminal means."
The two suspects were identified thanks to a global police operation also involving France's National Cybercrime Center of the National Gendarmerie, the FBI's Atlanta field office and Interpol, backed by the EU's law enforcement agency, Europol, and its European Cybercrime Center.
"Six investigators from the French Gendarmerie, four from the U.S. FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol's European Cybercrime Center and one Interpol officer were deployed to Ukraine to jointly conduct investigative measures with the National Police," Europol says.
"Ransomware is an international problem which is why these kinds of international operations result in successful arrests," tweets cybersecurity expert Alan Woodward, who's a visiting professor in the computer science department at the University of Surrey.
Biden Previews Anti-Ransomware Summit
News of the arrests comes ahead of a planned summit, to be held later this month by U.S. President Joe Biden, aimed at better combating ransomware.
"This month, the United States will bring together 30 countries to accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically," Biden said on Friday. "We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains. And we are bringing the full strength of our capabilities to disrupt malicious cyber activity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence."
CNN reports that the first meeting of the anti-ransomware summit will be held virtually.
Biden has also continued to urge American businesses to improve their cyber resiliency. "The federal government needs the partnership of every American and every American company in these efforts," he said. "We must lock our digital doors - by encrypting our data and using multifactor authentication, for example - and we must build technology securely by design, enabling consumers to understand the risks in the technologies they buy."
National Security Adviser Jake Sullivan tells CNN that the upcoming summit will "continue to build on our whole-of-government effort to deter and disrupt cyberattacks."
Those efforts have included the U.S. Treasury Department last month sanctioning Russia-based cryptocurrency exchange Suex for allegedly laundering tens of millions of dollars for ransomware operators, scammers and darknet markets.
The Treasury Department's Office of Foreign Assets Control, or OFAC, has officially blacklisted the exchange, which it accuses of laundering illicit proceeds for at least eight ransomware operations.