Two-year investigation results in raids targeting ‘high-value’ suspects and seizure of cash and computers

A ransomware group that’s said to be responsible for thousands of “devastating” attacks against high-profile targets worldwide has been disrupted after a dozen prominent members were “targeted” by law enforcement, Europol has announced.

Police also seized more than $52,000 in cash, five luxury vehicles, and electronic devices as they swooped on locations in Ukraine and Switzerland in the early hours of October 26.

The electronic devices are being forensically examined in the hope of uncovering further evidence and investigative leads, said Europol in a press release.

Norsk Hydro defiance

The EU’s law enforcement body said 12 individuals were targeted in relation to a “professional, highly organized” cybercrime group that favored large corporations and is believed to have directed attacks affecting more than 1,800 victims in 71 countries.

As confirmed by Norwegian police, this includes a ransomware attack that crippled the IT systems of Norwegian industrial giant Norsk Hydro in 2019.


Catch up on the latest ransomware-related news and analysis


The aluminum and renewable energy provider refused to pay the ransom despite having to operate without computer systems for several weeks.

While the incident cost Norsk Hydro an estimated $70 million in losses, the company was widely praised for refusing to cave into the hackers’ demands, as well as its transparency in communicating the attack to its customers and the wider public.

‘High-value targets’

Some of the suspects “interrogated” in the Europol- and Eurojust-led operation are believed to have been involved in the compromise of corporate networks, while others are accused of overseeing the laundering of ransom payments using bitcoin mixing services.

“Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” said Europol.

The ransomware gang breached IT networks via phishing emails, stolen credentials, brute force attacks, and the exploitation of SQL injection vulnerabilities, among other mechanisms, said Europol.

Once inside networks the attackers moved laterally and deployed malware such as Trickbot or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire.


RELATED Trickbot: Russian national extradited to US for alleged role in developing notorious banking trojan


Europol said the attackers then probed for further weaknesses as they lurked undetected in compromised systems, often for several months.

The group deployed ransomware variants including MegaCortex, Dharma and – as was the case with Norsk Hydro – LockerGoga.

Victims were instructed to pay ransoms in bitcoin in exchange for decryption keys.

The investigation, which began in September 2019, involved law enforcement authorities from France, Netherlands, Ukraine, UK, Germany, Switzerland, US, and Norway.


RECOMMENDED Ransomware forensics research reveals cybercrime tradecraft secrets