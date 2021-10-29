Their malicious activities affected 1,800 victims in 71 countries and their impunity ended at dawn on Tuesday in a resounding crackdown dubbed Operation 5th Element. After two years of a meticulous investigation under the aegis of Europol, an international team of 50 police officers – including experts from the judicial police – carried out the coordinated arrest in Ukraine and Switzerland of 12 cybercriminals. They paralyzed and extorted their targets with powerful “ransomware”, malware that encrypts, in other words, render completely unreadable, the data of a computer, server or network of a company or company. a local community.

Six Europol police officers collaborated with other European and American experts.

The investigation began with the filing of a complaint by a large French company attacked in early 2019 by LockerGoga ransomware. The specialized prosecutor’s office of the TGI of Paris then seized the judicial police which centralizes and coordinates in the hexagon the investigations related to cyberattacks of type “ransomware”.

Led by the Central Office for the Fight against Crime Related to Information and Communication Technologies (OCLCTIC), the online investigations involved cyber sleuths from eight countries where hackers had been rampant: the Netherlands, Norway, Germany, United Kingdom and the United States. But also the Ukrainian and Swiss police services in order to plan the arrests. The European Cybercrime Center (EC3) hosted seven coordination meetings in The Hague.



The inspectors first went back to the C2 server, which was controlling and communicating with the malware. Unexpected stroke of luck: it was located in France and allowed them to bounce back to others. With the help of European experts, they then mapped the criminal infrastructure and then analyzed the means of communication between the ransomers and their victims. Finally, they followed the “money trail”, that is to say the addresses of Bitcoin wallets where the sometimes paid ransoms went. “The advantage of IT is that it leaves traces that allow us to trace the tracks” smiles a police source.

A criminal structure of specialists

Considered as “high value targets”, big fish in the cybercriminal environment, the individuals arrested were part of a veritable organized gang with well-defined roles. Some were responsible for infiltrating the computer systems of targets, mainly large companies, using all the tools available to hackers: theft of passwords and identifiers, brute force attack or massive “phishing” campaign.

After gaining initial access, the Ukraine-based thugs deployed Trickbot malware and set up deep stealth attack tools like Cobalt Strike. These specialists then moved discreetly in the networks of their victims and remained hidden, sometimes for several months, before triggering the encryption of the data and demanding the payment of a ransom in Bitcoin to decrypt them or avoid their publication on Internet.

A historical ransomware operator

Investigators suspect them of having deployed LockerGoga ransomware, which has been active since 2019 and specializes in attacking industrial systems. But also the MegaCortex and Dharma malware which were among the first to exfiltrate data before making it unreadable without a decryption key.