From: https://tinyurl.com/3muv2d3v (theregister.com)
===
Europol shutters ransomware operation with kingpin arrests
A few low-level stragglers remain on the loose, but biggest fish have
been hooked
Connor Jones
Tue 28 Nov 2023 // 13:45 UTC
International law enforcement investigators have made a number of
high-profile arrests after tracking a major cybercrime group for more than
four years.
A joint investigation team (JIT), spearheaded by French authorities,
formed in 2019 to bring down a ransomware group linked to major attacks
across the world.
Announcing the news today, Europol said that five individuals were
arrested, including the 32-year-old leader of the group and four of its
"most active accomplices."
Thirty properties in Ukraine were raided on November 21 across the Kyiv,
Cherkasy, Rivne, and Vinnytsia regions. A virtual command post was also
established in Europol's Netherlands headquarters where data taken from
the property raids was analyzed "immediately."
Ukrainian National Police raid properties in search for the
cybercriminals. Image courtesy of Europol.
Ukrainian National Police raid properties in search of the cybercriminals.
Image courtesy of Europol
Europol said today in a press release that the arrests led to the
"dismantlement" of the group.
However, a spokesperson told The Register that "there are still a few
members which are being sought after, but they're of lesser importance."
The arrests follow 12 that were made in 2021, two years after the JIT was
first assembled. Members of the same group were arrested in Ukraine and
Switzerland, and key electronic devices were seized for forensic analysis,
along with $52,000 in cash and five luxury vehicles.
The seizure of the electronic devices and their subsequent analysis led to
the identification of the key members arrested last week.
Europol said "a number of operational sprints [had] been organized,"
heavily involving the Norwegian authorities over the past two years to
analyze the devices.
Asked why the arrests have come so long after the initial seizure, a
spokesperson told The Register that it takes time to gather enough
evidence to prosecute cybercriminals.
"As always with investigations as well, there's a strategy to try, we
might have identified these members, but we were continuing to build the
picture," they said.
"Whenever you do all the forensic work, you uncover other leads, but open
up the investigation that feeds into other existing investigations. That's
why we were only able to do the second round of actions now."
Also contributing to the two-year delay was the war in Ukraine starting in
2022, shortly after the seizures were made. Europol believes this didn't
slow investigations down at all, but the operation had to be reorganized.
Who's been cuffed?
The names of those arrested have not been released and the ransomware
group itself doesn't behave like LockBit, AlphV/BlackCat or Rhysida. The
cybercriminals were well-resourced and used multiple different strains to
attack their targets.
These included LockerGoga, MegaCortex, Hive, and Dharma. Europol said the
group had attacked more than 250 servers belonging to organizations in 71
countries, netting the group hundreds of millions of euros in the process.
The group isn't tracked with a moniker, as many repeat offenders are, but
it is responsible for major historical attacks, perhaps most notably the
ransomware incident at Norsk Hydro.
It was also responsible for the attack on French consultancy Altran, which
is now known as Capgemini Engineering following a 2019 acquisition.
The spokesperson said the arrested cybercriminals were not core members of
any of the organizations behind the ransomware strains they used. However,
they were on the radar of law enforcement for their involvement in
numerous other incidents under separate investigations.
Members all had different roles within the group. Some were responsible
for the actual intrusion into victims' systems, while others specialized
in areas such as money laundering - a branch of ransomware operations
that's also under close examination by global authorities.
"Those responsible for breaking into networks did so through techniques
including brute force attacks, SQL injections, and sending phishing emails
with malicious attachments in order to steal usernames and passwords,"
Europol said.
"Once inside the networks, the attackers remained undetected and gained
additional access using tools including TrickBot malware, Cobalt Strike,
and PowerShell Empire, in order to compromise as many systems as possible
before triggering ransomware attacks." (R)
===
-- Sean
... Eyes hurt from excess screen time? There's a nap for that.
--- MultiMail/Win v0.52
* Origin: Outpost BBS * Johnson City, TN (618:618/1)
|
Computer Support/Help/Discussion... 
