2 ransomware operators arrested in Ukraine by law enforcements and Europol

Sicherheit (Pexels, allgemeine Nutzung)[German]In a concerted action by law enforcement agencies coordinated by Europol and Interpol, two suspected operators in the field of ransomware crime were arrested in Ukraine as early as September 28, 2021. The suspects are accused of infecting companies in Europe and the United States with ransomware and then extorting ransom money.


Europol's notification states that on September 28, 2021, a coordinated operation by the French Gendarmerie (Gendarmerie Nationale) and the United States Federal Bureau of Investigation (FBI) led to arrests by the Ukrainian National Police. The whole operation was coordinated by Europol and Interpol.

During the action of the Ukrainian National Police, seven house searches (of close relatives of the arrested main perpetrator) were carried out and two arrests were made. The house searches resulted in the:

  • confiscation of 375 000 US dollars in cash
  • confiscation of two luxury vehicles worth 217 000 euros
  • As well as the freezing of assets in the amount of $1.3 million in cryptocurrencies

The organized crime group is suspected of carrying out a series of targeted attacks on very large industrial companies in Europe and North America starting in April 2020. However, the names of these companies were not mentioned. The criminals deployed malware (whose name was also not mentioned) and stole sensitive data from these companies before encrypting their files with the installed ransomware. According to this tweet, someone is guessing REvil/Sodinokibi – since the Kaseya hack included this US$70 million ransomware – but that's not certain.

The malware was transferred to the affected companies' devices by hacking the remote desktop software of their users, as well as sending spam emails to company emails with screenshots of malicious content.


The cybercriminals then offered a decryption key in exchange for payment of a ransom of several million euros and threatened to publish the stolen data on the dark web if their demands were not met. The two ransomware operators arrested in Ukraine are accused of extortionate ransom demands in several cases (between EUR 5 and 70 million).

Close cooperation between the law enforcement agencies involved, supported by Europol's Joint Cybercrime Action Taskforce (J-CAT), led to the identification of the two individuals in Ukraine. Six investigators from the French gendarmerie, four from the U.S. FBI, a prosecutor from the French prosecutor's office in Paris, two specialists from Europol's European Cybercrime Center (EC3) and an INTERPOL officer were deployed to Ukraine to conduct joint investigative actions with the national police.

Europol supported the investigation from the beginning and brought together all the countries involved to develop a common strategy, according to the press release. Europol's cybercrime specialists organized 12 coordination meetings to prepare for the day of action and provided support in the areas of analysis, malware, forensics and crypto-tracing. Europol set up a virtual command post to ensure seamless coordination between all participating agencies.

Ukraine: Ransomware-Operatoren verhaftet

Catalin Cimpanu, referring to these arrests in the above tweet, states (with reference to this press release) that the ransomware group made $150 million in attacks on over 100 companies. The arrests, including one of a 25-year-old hacker, were made in Kiev, Ukraine. The second person arrested was likely the partner who helped the hacker withdraw the money captured through the extortion from accounts. The following video shows scenes of the house search of one of the arrested perpetrators. 

(Source: Ukrainian National Police/YouTube)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *