2 ‘Prolific’ Ransomware Operators Arrested in Ukraine

2 ‘Prolific’ Ransomware Operators Arrested in Ukraine

Europol has announced the arrest of two “prolific” ransomware operators known for extorting ransom demands between $6 million to $81 million.

In a statement, Europol said that the arrest of the two ransomware operators last September 28th in Ukraine was a coordinated strike by the French National Gendarmerie, the Ukrainian National Police, and the United States Federal Bureau of Investigation (FBI), with the coordination of Europol and INTERPOL.

The arrest of the two ransomware operators, Europol said, led to the seizure of $375,000 in cash, seizure of two luxury vehicles worth $251,000, and asset freezing of $1.3 million in cryptocurrencies.

The arrested individuals, Europol said, are part of an organized ransomware group suspected of having committed a string of ransomware attacks targeting large organizations in Europe and North America from April 2020 onwards.

The group’s modus operandi, Europol said, includes deployment of malicious software (malware), stealing sensitive data from target companies before encrypting these sensitive files.

After data encryption and stealing of data, Europol further said, the group then offers a decryption tool in exchange for a ransom payment. When ransom demand isn’t met, Europol added, the group threatens to leak the stolen data on the dark web.

Authorities refused to give the names of the two arrested individuals. The name of the ransomware group wasn’t disclosed as well.

Disrupting Ransomware Operations

In June 2021, the Cyber Police Department of the National Police of Ukraine arrested six members of the Clop ransomware group. Computer equipment, cars, and about $185,000 in cash were confiscated by the authorities.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the Cyber Police Department of the National Police of Ukraine said in a statement.

According to the Cyber Police Department of the National Police of Ukraine, the Clop ransomware group is responsible for $500 million worth of damages worldwide. The arrest of the six members of the Clop ransomware group was a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

A few days after the arrest of the six members of the Clop ransomware group, the group claimed other victims, showing that the arrest of the members didn’t disrupt the operation of the Clop ransomware group. 

In February 2021, French and Ukrainian law enforcement agencies arrested in Ukrain several members of the Egregor ransomware group. Trend Micro, in a statement, said that the arrest of several members of the Egregor ransomware group was made possible, in part, of its assistance.

“Since its first appearance in September 2020, Egregor ransomware has been involved in high-profile attacks against retailers, human resource service companies, and other organizations,” Trend Micro said. “It operated under the ransomware-as-a-service (RaaS) model where groups sell or lease ransomware variants to affiliates, making it relatively easier even for inexperienced cybercriminals to launch attacks. Like some prominent ransomware variants, Egregor employs a ‘double extortion’ technique where the operators threaten affected users with both the loss and public exposure of the encrypted data.”

Ransomware

Ransomware is a persistent and rapidly evolving cybersecurity problem. Ransomware, in general, is a malware that’s traditionally meant to encrypt victim files – preventing victims from accessing their files. After data encryption, attackers then demand from victims ransom payment in exchange for the decryption tool that purportedly could unlock the encrypted files.

Early ransomware attackers demand from their victims to pay only one ransom payment, that is, for the decryption tool. Today’s ransomware attackers demand from their victims two ransom payments, also known as double extortion, one for the decryption tool and the second for the non-publication of the stolen data exfiltrated prior to data encryption.

Clop ransomware enters the victims’ networks through any of the following methods:

. Phishing emails sent to employees of the target organization

. Remote Desktop Protocol (RDP) compromise via brute-force attacks

. Exploitation of known software security vulnerabilities

Similar to Clop ransomware, Egregor ransomware enters the victims’ networks through phishing emails sent to employees of the target organization and RDP compromise. Egregor ransomware has also been known to access victims’ networks through VPN exploits.

Many of today’s notorious ransomware programs are operated under the ransomware-as-a-service (RaaS) model. In a RaaS model, the ransomware developer sells or leases the ransomware program to affiliates who are responsible for spreading the ransomware and generating infections. The developer takes a percentage of the ransom payment and provides the affiliates share of the ransom payment. 

Cybersecurity Best Practices

Here are some of the cybersecurity best practices in preventing or mitigating the effects of ransomware attacks:

. Avoid clicking on links and downloading attachments in emails from questionable sources

. Keep all software up to date

. Protect RDP servers with strong passwords, multi-factor authentication (MFA), virtual private networks (VPNs), and other security protections

. Implement the 3-2-1 backup rule: Make three copies of sensitive data, two copies should be in different formats, and keep one duplicate should be kept offsite.