Business Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service

Ukraine Police Bust Ransomware Suspects Tied to 50 Attacks

Victims in US and Europe Lost Over $1 Million; Ransomware Distributed via Spam Email
Ukraine Police Bust Ransomware Suspects Tied to 50 Attacks
Law enforcement agents search a suspect's home in Ukraine. (Photo: National Police of Ukraine)

Police in Ukraine have arrested five individuals on suspicion of using ransomware to extort more than 50 companies across the United States and Europe.

See Also: Cyber Insurance Assessment Readiness Checklist

Authorities say the group's alleged ringleader, a 36-year-old resident of Ukraine's capital city of Kyiv - formerly known as Kiev - was arrested together with his wife and three alleged accomplices.

The National Police of Ukraine's cyber division says that "according to preliminary estimates, more than 50 companies were affected by the attacks, with the total amount of damage reaching more than $1 million."

Police did not name any of the suspects or the type of ransomware they allegedly wielded. News of the arrests was first reported by threat intelligence firm Recorded Future's The Record news site.

As part of the operation, Ukrainian law enforcement agents, together with U.K. and U.S. agents, conducted nine searches of suspects' homes and cars, seizing "computer equipment, mobile phones, bank cards, flash drives and three cars," authorities say.

Selection of items seized by police (Photo: National Police of Ukraine)

The suspects have also been accused of providing an IP-changing service to criminals, allowing them "to carry out illegal activities covertly," police say.

Authorities say the service was akin to an illicit VPN offering on steroids. "They administered the service from home personal computers, and in order to avoid responsibility for their illegal activities they disguised themselves under various nicknames on the darknet network," says the Security Service of Ukraine, which is also known as the SBU.

International hacking groups were among the users of the service, the SBU says, to help them steal confidential information from government agencies and businesses, distribute ransomware and demand a ransom payment, and launch distributed denial-of-service attacks.

At least one of the defendants is also wanted in another country - while not named by authorities, it would appear to be the U.K. - for allegedly using malware to steal bank details from British residents, buy goods and then resell those goods to make an illicit profit.

Police conduct a digital forensic analysis of a seized PC. (Photo: National Police of Ukraine)

Ukraine's investigation remains ongoing. At least so far, however, the suspects have been charged with unauthorized access to computers, distributing malicious software and money laundering.

Cybercrime Crackdowns in Ukraine

The arrests announced Thursday represent at least the seventh major cybercrime crackdown effort undertaken by Ukrainian authorities since the start of 2021.

Previous efforts have targeted:

  • Emotet: In January 2021, an international law enforcement operation disrupted the Emotet botnet, with arrests in Ukraine and the U.S., backed by police in the U.K., the Netherlands, Germany, France, Lithuania and Canada.
  • Egregor: In February 2021, multiple individuals suspected of being affiliates of the Egregor ransomware-as-a-service operation were arrested in Ukraine, in an operation also involving French authorities.
  • Conti: In May 2021, following the Conti group's attack against Ireland's Health Service Executive, Interpol facilitated the "identification and takeover of the attackers' command-and-control server in the Ukraine," Interpol Director of Cybercrime Craig Jones said at a conference last month.
  • Clop: In June 2021, police in Ukraine announced they had arrested six suspected members of the Clop ransomware operation, in a law enforcement effort dubbed Operation Cyclone and backed by South Korea and the U.S.
  • Exchanges: In August 2021, Ukrainian police shuttered multiple allegedly illegal cryptocurrency exchanges in the country processing about $1.1 million in virtual currency transactions each month, at least some of which were allegedly for money laundering purposes.
  • Ransomware: In October 2021, police in Ukraine arrested two members of a ransomware gang they said had attempted to extort up to $80 million from individual victims. The name of the ransomware operation, which allegedly earned more than $150 million from attacking victims, was not released.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.