The ransomware gang with which the suspects reportedly collaborated has been linked to at least $150 million in losses, according to officials.
The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files,” Europol says. “They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.”
A video released by Ukrainian police shows officers gaining entry to the suspect’s residence and then using digital forensic investigation tools to analyze multiple Apple laptops and a PC tower, and gathering as evidence those devices, hard drives, smartphones and other devices. A search of the premises also revealed a large quantity of $100 bills being stored in a Louis Vuitton box.
Ukrainian police announced the arrests on Monday. They say one of the suspects – an unnamed 25-year-old – gained remote access to victims’ networks in some cases by subverting their own remote access tools, and in other cases by using spam to distribute malware that infected targets.
The arrests, according to Ukrainian National Police, took place on Tuesday, along with searches of seven homes, including the homes of the two suspects and their close relatives. In addition, police seized computers, automobiles, and more than $360,000 in cash, as well as freezing $1.3 million in bitcoin held by the suspects.
Police in Ukraine have arrested two members of a ransomware gang they say has attempted to extort up to $80 million from individual victims.
“In total, the hacker attacked more than 100 companies in North America and Europe,” says Ukraine’s cyber police team. “Among the victims were world-famous energy and tourism companies, as well as equipment developers. The hacker demanded a ransom to restore access to encrypted data.”
Not Named: Suspects or Ransomware Group
It’s not clear if the suspects might allegedly be core members of the group or else ransomware-as-a-service operation affiliates. Such individuals take crypto-locking malware provided by a group, use it to infect victims, and receive a cut of any ransom the victim might pay. Based on Europol’s description of the ransomware group, which it says has issued individual extortion demands that range from $6 million to $80 million, as well as targeted device manufacturers, the suspects could be tied to the REvil – aka Sodinokibi – operation, which first appeared in April 2019.
Citing operational reasons, Europol says it won’t yet be naming the ransomware group, due to an ongoing investigation. “As you can very well imagine, the investigators are now working on the evidence seized during the house searches,” Europol spokeswoman Claire Georges tells Information Security Media Group. As noted, Ukrainian police have described one of the arrested suspects as being a 25-year-old hacker. Police say the other suspect is “an accomplice who helped to withdraw money obtained by criminal means.”
The two suspects were identified thanks to a global police operation also involving France’s National Cybercrime Center of the National Gendarmerie, the FBI’s Atlanta field office and Interpol, backed by the EU’s law enforcement agency, Europol, and its European Cybercrime Center. Six investigators from the French Gendarmerie, four from the U.S. FBI, a prosecutor from the French Prosecution Office of Paris, two specialists from Europol’s European Cybercrime Center and one Interpol officer were deployed to Ukraine to jointly conduct investigative measures with the National Police,” Europol says.
News of the arrests comes ahead of a planned summit, to be held later this month by U.S. President Joe Biden, aimed at better combating ransomware. “This month, the United States will bring together 30 countries to accelerate our cooperation in combating cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically,” Biden said on Friday. “We are building a coalition of nations to advocate for and invest in trusted 5G technology and to better secure our supply chains. And we are bringing the full strength of our capabilities to disrupt malicious cyber activity, including managing both the risks and opportunities of emerging technologies like quantum computing and artificial intelligence
Biden Previews Anti-Ransomware Summit “Ransomware is an international problem which is why these kinds of international operations result in successful arrests,” tweets cybersecurity expert Alan Woodward, who’s a visiting professor in the computer science department at the University of Surrey.