Europol targeted 12 suspicious ransomware operators

Sicherheit (Pexels, allgemeine Nutzung)[German]Europol has took actions against cyber criminals in various countries who extorted ransomware from businesses and organizations. The 12 suspects are accused of infecting 1,800 victims in 71 countries with ransomware and then extorting ransom money. Investigators raided Ukraine and Switzerland on Tuesday this week and recovered cash, luxury cars and other evidence.


Europol and European judicial authority Eurotrust made the announcement in related press statements today (Friday). The following tweet from Europol mentions the action. 

Europol targets Ransomware group

Suspects identified

Investigators managed to target a total of 12 individuals who caused damage to critical infrastructure worldwide with ransomware attacks as part of a law enforcement and judicial operation in eight countries. Investigators believe these defendants are responsible for ransomware attacks on more than 1,800 victims in 71 countries. The cyber actors are known for targeting large companies via ransomware and bringing their operations to a halt.

Actions against the suspects

In the early hours of October 26, 2021, law enforcement actions took place in Ukraine and Switzerland. Most of these suspects are considered high-profile targets, as they are under investigation in several high-profile cases in different jurisdictions. Over $52,000 in cash and 5 luxury vehicles were seized on the day of action. A number of electronic devices are currently being forensically examined to preserve evidence and identify new investigative leads.

A network of cyber criminals

The targeted suspects had various roles in these professional, well-organized criminal organizations. Some of these criminals made efforts to penetrate the network and used multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials, and phishing emails with malicious attachments.


Once inside the network, some of these cyber actors focused on moving laterally and deploying malware such as Trickbot or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire to remain undetected and gain further access.

The criminals then sometimes remain undetected in the compromised systems for months, looking for further vulnerabilities in the IT networks before monetizing the infection by deploying a ransomware. It is known that these cyber actors have deployed LockerGoga, MegaCortex, and Dharma ransomware, among others.

The impact of the ransomware attacks was devastating as the criminals had time to explore the IT networks undetected. Victims were then presented with a ransom note asking them to pay Bitcoin to the attackers in exchange for decryption keys.

Some of those interrogated are suspected of being responsible for laundering the ransom payments: they funneled the Bitcoin ransom payments through compounding services before paying out the ill-gotten gains in cash.

Law enforcement cooperation

On the initiative of French authorities, a joint investigation team (JIT) was established in September 2019 between Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and assistance from the two agencies. Since then, the JIT partners have been working closely together in parallel with the independent investigations of the Dutch and U.S. authorities to uncover the real scale and complexity of the criminal activities of these cyber actors and to develop a joint strategy.

International cooperation coordinated by Europol and Eurojust was key to identifying these threat actors. This is because the victims were located in different geographic locations around the world. Eurojust established a coordination center to facilitate cross-border judicial cooperation during the day of action. Seven coordination meetings were held in preparation.

Europol's European Cybercrime Center (EC3) hosted operational meetings, provided support in the areas of digital forensics, cryptocurrencies, and malware, and facilitated information sharing through the Joint Cybercrime Action Taskforce (J-CAT), based at Europol headquarters in The Hague.

More than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the day of action to assist national police in conducting joint investigative operations. In addition, a Ukrainian cyber police officer was seconded to Europol for two months to prepare for the Day of Action. The following authorities participated in this operation:

Norway: National Crime Commission (Kripos).
France: Paris Public Prosecutor's Office, National Police (Police Nationale – OCLCTIC)
Netherlands: National Police (Politie), National Public Prosecutor's Office (Landelijk Parket, Openbaar Ministerie)
Ukraine: Prosecutor General's Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
United Kingdom: Police Scotland, National Crime Agency (NCA).
Germany: Reutlingen police headquarters (Polizeidirektion Reutlingen)
Switzerland: federal police (fedpol), police Basel-Landschaft
United States: United States Secret Service (USSS), Federal Bureau of Investigations (FBI)
Europol: European Cybercrime Center (EC3)

It turns out that law enforcement can be quite successful against cyber criminals. However, the effort is quite high and some actors are located unreachably in Russia or other countries. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *