A total of 12 people who wreaked havoc around the world with ransomware attacks against critical infrastructure have been arrested as a result of a law enforcement operation involving at least eight countries.
The attacks are believed to have affected more than 1,800 victims in 71 countries. These cybercriminals are known to specifically target large corporations, making it easier for them to optimise their business.
The arrests took place at the end of October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in parallel in multiple high-profile cases in different jurisdictions.
As a result of the law enforcement action, more than USD 52,000 in cash was seized, along with 5 luxury vehicles. Computer forensic experts are currently examining various electronic devices to obtain evidence and identify new investigative leads.
All suspects had different roles in these highly organised criminal organisations. Some of these criminals used multiple mechanisms to exploit network vulnerabilities, such as various attacks, SQL injections, stolen credentials and fishing emails with malicious attachments.
Once on the network, some of these cybercriminals would focus on moving with criminal intent, deploying malware like Trickbot, or post-exploitation frameworks like Cobalt Strike or PowerShell Empire, in order to remain undetected and gain further access.
The criminals would then enter the compromised systems undetected, sometimes for months, and investigate further weaknesses in the networks, before moving on to monetise the infection by deploying ransomware. These criminals have been known to deploy ransomware like LockerGoga, MegaCortex and Dharma, among others.
The effects of the ransomware attacks were devastating, as the criminals had had time to scan computer networks undetected.
They then presented a ransom note to the victim, demanding that he pay the attackers in bitcoins in exchange for decryption keys.
It is suspected that several of the individuals arrested were responsible for laundering the ransom payments: they would channel the ransom payments in bitcoins through various services, before collecting the illicit proceeds.