Police from multiple countries have thwarted a ransomware operation with its major hub located in Ukraine after the search of 30 Properties across four regions of the country and arrested its ringleader.
Europol and Eurojust have swooped down on an Ukrainian based Ransmonware as a Service (RaaS) scheme in yet another organization with several sprung off affiliates, and arrested its leader. This operation targeted dozens of entities in a slew of countries. According to Europol, the hackers carried out their malicious attacks through the use of MegaCortex, Hive, LockerGoga and Dharma ransomware. “LockerGoga and Megacortex were notably some of the earlier ransomware variants in use when the cyber criminal community began shifting away from mass distributed ransomware and point-of-sale operations to post-compromise ransomware deployment targeting corporations.” Said Kimberly Goody, Mandiant Head of Cybercrime Analysis, Google Cloud
The cybercriminals spared no expense in their malicious activities, displaying a large amount of techniques, such as SQL injection, phishing emails and even bruce force attacks to weave their way through to networks. The malware deployed deployed spanned the likes of TrickBot, with tools spanning Cobalt Strike and PowerShell Empire to gain access to other systems.
In the words of the authorities, over 250 servers from major organizations across several sectors and industries were hacked, accounting for hundreds of millions of dollars in losses. For the authorities, some aspects suggest there is something fishy. “The ransomware variants allegedly associated with these actors have hit organizations in healthcare and other critical industries. Some of the TTPs described in the press release align with activity we have historically attributed to a FIN6-affiliated actor including the use of Trickbot and Lockergoga, however, given the complexities and interdependence of the cyber crime ecosystem we cannot confirm at this time whether this law enforcement action is associated with this threat actor,” Goody added.
Reportedly, multiple file encrypting ransomware families, as well as the roles atributed to the suspects underpin their status as Ransomware as a Service. The defendants are players across multiple points in the interwoven web of affiliates and performed duties of all sorts, spanning functions in the limelight as well as lower key work.
“The individuals under investigation appear to have served as affiliates of multiple ransomware services over time and/or in supporting functions to enable multiple groups,” Goody said.
Within the suspects, some were in charge of hacking the organizations while others were in charge of laundering the ransom that the victims paid. The expert also weighed in on the recruiting and working processes of cybercriminal organizations, and the challenges they face, many of them, take after those of legitimate businesses.
“Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects. Breaking one link in their organizational cycle can cause significant – albeit temporary – disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world,” Goody concluded.