A joint strike involving the FBI, the Ukrainian National Police, the French National Gendarmerie, and INTERPOL has led to the arrest of “two prolific ransomware operators known for their extortionate ransom demands” ranging from $5.8 to $81.2 million.
The agency says this strike led to the search of seven different properties in Ukraine, the freezing of $1.3 million worth of cryptocurrency, and the seizure of $375,000 in cash, as well as two luxury cars worth approximately $252,000.
Europol doesn’t offer many details about the arrested pair. “The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files,” it says. “They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.”
Europol also says “the organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. Ukrainian authorities say the arrested hacker and his accomplice targeted 100 organizations and caused up to $150 million in damages in that time frame.
It’s possible the pair arrested during this strike were part of REvil, a well-known ransomware operator that reemerged from months of silence in September and was recently accused of stealing the ransoms paid to smaller cyber criminals. REvil is known for being a prolific, Russian-speaking group that demands high ransoms, so it matches Europol’s description of the group.
REvil’s attacks typically follow the process outlined in Europol’s announcement—compromising the target system, demanding a ransom in exchange for a decryption key, and threatening to reveal private information if the ransom isn’t paid—as well. But so do attacks conducted by other groups, and even if REvil’s ransomware was used in an attack, it might not be directly involved.
The Ukrainian National Police statement (as translated by Google Translate) indicates that only one of the people arrested as part of this strike is a hacker, though. The other is described “an accomplice who helped to withdraw money obtained by criminal means.” They also say that unidentified “computers” and “mobile phones” were seized during the strike.
More information should be available as the pair make their way through the legal system. The Ukrainian National Police says the hacker was accused of violating “Part 2 of Art. 361 (Unauthorized interference in the work of computers, automated systems, computer networks or telecommunications networks), Part 3 of Art. 209 (Legalization (laundering) of property obtained by criminal means) of the Criminal code of Ukraine” and could face 12 years in prison.