Authorities in Ukraine arrested five people in recent days as part of an international investigation into ransomware attacks, Ukrainian and European authorities said Tuesday.
Police in Ukraine arrested a 32-year-old man they say was the “leader” of a group, as well as “his four most active accomplices,” according to a Google translation of a statement issued by the Ukrainian Cyber Police.
The crew’s attacks impacted victims in 71 countries, according to the statement, using ransomware variants including LockerGoga, MegaCortex, HIVE and Dharma. The arrests are the continuation of an investigation that began in 2019 and included 12 arrests in 2021.
The attackers successfully encrypted more than 250 servers “belonging to large corporations, resulting in losses exceeding several hundred million” euros, authorities said.
Investigators from seven countries took part in the investigation and enforcement action, including personnel from the U.S. Secret Service and the FBI, according to Europol.
The FBI didn’t respond to a request for comment at the time of publication Tuesday. The U.S. Secret Service declined to comment.
The people arrested appear to have served as affiliates of multiple ransomware services over time, or in supporting roles, said Kimberly Goody, Mandiant’s head of cybercrime analysis.
“Threat actors commonly partner with different actors over time to perform certain aspects of a compromise, such as initial access or money laundering, which is likely the case of at least some of these suspects,” Goody said in a statement. “Breaking one link in their organizational cycle can cause significant — albeit temporary — disruptions to these groups, as identifying, vetting and trusting new partners can be challenging in the criminal world.”
The operation is just the latest in a string of international law enforcement actions taken against ransomware operators as part of a more proactive approach to disrupt the activity, even if it does not lead to arrests.
U.S. officials announced in January an international operation that took down infrastructure connected to the Hive ransomware group, for instance, which included long-term access to Hive networks. Another operation, announced in April, targeted infrastructure associated with Genesis Market, a marketplace for cybercriminals to trade in stolen credentials and access to compromised computers.
U.S. officials told reporters in a call after the Genesis Market operation that at least part of the proactive, disruptive approach includes undermining trust in the entire cybercrime ecosystem.