Ukraine cyber police ransomware investigation, Kyiv
Authorities search an apartment in Kyiv. Image: Ukraine Cyber Police

High-profile ransomware gang suspects arrested in Ukraine

Law enforcement officers from seven countries said they have arrested key members of a high-profile ransomware gang that was operating from Ukraine.

Since 2018, the group's members have encrypted over 1,000 servers of large enterprises worldwide, causing at least $82 million in damages, according to Ukrainian police. The hackers demanded ransom payments in cryptocurrency.

Among the gang’s victims is “one of the leading chemical companies in the Netherlands,” the police said, without identifying it. The cybercriminals charged it $1.3 million, but it is not clear whether the company paid the ransom.

During the large-scale operation, carried out amid the ongoing war in Ukraine, more than 20 investigators from several European countries, as well as Canada and the U.S., arrested the alleged 32-year-old ringleader and the four most active accomplices. The authorities did not release their names.

These cybercriminals are known for the deployment of LockerGoga, MegaCortex, Hive and Dharma ransomware variants to carry out their attacks, according to the statement by Europol. Police said the operation essentially dismantled the gang.

To get into victims’ computers, the hackers sent phishing emails with malicious attachments, aiming to steal usernames and passwords; they also conducted brute force attacks, where cybercriminals attempt to guess all possible password combinations until they find the correct one.

Once inside networks, the attackers remained undetected and gained additional access using tools such as TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks, the investigators said.

This was the second wave of arrests after 12 individuals accused of being part of the same group were apprehended in Ukraine in 2021 after an investigation of ransomware attacks against critical infrastructure. The devices seized during the previous operation helped the police officers identify other suspected members of the gang.

Last week, the police searched apartments in four Ukrainian cities, including the capital, Kyiv. The investigators operating on the ground were receiving help from Europol’s headquarters in the Netherlands, where a virtual command post immediately analyzed the data seized during the searches in Ukraine.

The police also seized the suspects’ computer equipment, cars, bank and SIM cards, dozens of electronic devices, as well as thousands of dollars and cryptocurrency assets.

The suspects had different roles in this criminal organization: Some of them were involved in compromising the IT networks of their targets, while others were suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.