Europol announces “targeting” of 12 suspects in ransomware attacks

In an intriguingly worded news statement issued today, Europol has announced police action in both Switzerland and Ukraine against 12 cybercrime suspects.

The document doesn’t actually use words such as a “arrested” or “charged with criminal offences”, saying merely that:

A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries. […]

As the result of the action [on 26 October 2021], over USD 52,000 in cash was seized, alongside 5 luxury vehicles. A number of electronic devices are currently being forensically examined to secure evidence and identify new investigative leads.

What we don’t know is whether the cars were seized because they are valuable and suspected to be the proceeds of crime, or because cars, like mobile phones, are an important source of forensic evidence in today’s investigative world. (Or both, of course.)

In previous reports we’ve written of recent ransomare busts, cars were seized, along with cash, phones, computers and more – there wasn’t a beater amongst the towed-away vehicles that we could see – but in one of the bust videos, cybercops can be seen checking out computer gear inside the car itself before allowing it to be loaded onto the towtruck.

Job roles in a ransomware gang

The alleged crooks in this operation don’t seem to be the core criminals who produced the ransomware code, dealt with the encryption/decryption process, and handled the blackmail payments from the victims.

Instead, they seem to be from various other arms of the operation.

As you probably know, a lot of ransomware gangs these days consist of what you might call a cybercrime “ecosystem” or “subculture”, with the core coders surrounded by numerous affiliates or associates who take the malware out into the world and use it actively in attacks.

Europol lists the following “job titles” for the suspects targeted in this operation, and described the work duties that the many human cogs in the ransomware machine are alleged to have performed:

  • Job role: Network penetration. Work duties: Use multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.
  • Job role: Lateral movement. Work duties: Spread through network. Deploy malware along the way, such as Trickbot or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected while gaining further access.
  • Job role: Network exploration. Work duties: Probe for IT weaknesses, sometimes for months.
  • Job role: Ransomware detonation. Work duties: Unleash a final ransomware payload, scrambling as many files as possible on the network, using malware including LockerGoga, MegaCortex and Dharma. Present a blackmail note demanding a ransom payment.
  • Job role: Money laundering. Work duties: A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.

How the crooks make things worse

The dispassionate list given above by Europol, breaking down the modern-day “commercialised” ransomware process into well-defined tasks, is scary enough.

But we’d also like you to read an astonishing and fascinating report from Sophos Managed Threat Respose expert Peter Mackenzie that we published yesterday.

Entitled The top 10 ways ransomware operators ramp up the pressure to pay, it gives you an even more startling and uncompromising insight into just how aggressive and uncompromsing these crooks can be.

Amongst other things, ransomware crooks will email employees individually (and sometimes even phone up IT staff directly) to show off the personal data they’ve stolen, presumably in the hope of getting staff to turn on their employers to urge that the ransom be paid.

We’ve personally sat wide-eyed at work while Peter showed us (with consent, of course) a video recording of an IT manager, in the thick of a ransomware crisis, receiving a personal call from the criminals in which they calmly but chillingly read back to him his social security number and other personal data that they’d extracted from the company network.

That’s the sort of thing that gets your attention!

As Peter writes in his jaw-dropping article:

Attackers generally dig out information such as corporate and personal bank details, invoices, payroll information, details of disciplinary cases, passports, drivers’ licenses, social security numbers, and more, belonging to employees and customers.

For instance, in a recent Conti ransomware attack on a transport logistics provider that Sophos Rapid Response investigated, the attackers had exfiltrated details of active accident investigations, featuring the names of the drivers involved, fatalities and other related information. The fact that such information was about to fall into the public domain added significant stress to an already difficult situation.

Peter has also included a chilling audio voicemail sent by affiliates of the SunCrypt gang, with the permission of the organisation targeted in that attack.

It’s three minutes long, and calmly serious, in a laconic tone that makes it even more unnerving:

[embedded content]

If you don’t pay, the crooks point out, they’ll do numerous bad things to you, such as dumping your data, alerting your competitors, selling off backdoor access to other crooks, and informing the media.

After reeling off the list, they say, with dismissive self-assurance, “Anyway, this will be the last day of your business,” before warning you: “Think about your future and your families.”

Peter also describes how some ransomware crooks have publicised their extortion demands to affected staff by dumping a ransom note on every printer on the network, including those visible to the public, such as point of sale terminals…

…definitely not the sort of verbiage that customers expect to see mixed in with their list of purchases!

What next?

With no mention yet of arrests or criminal charges, but an obvious focus on operational intelligence and forensic analysis (including those five fancy cars), we’ll be interested to see what Europol announces next.

Just last week, we reported on a legally authorised “hack back” operation against the REvil ransomware crew by the FBI and intelligence groups described as hailing from “multiple countries”:

Perhaps the worm is at last beginning to turn on the ransomware scene?

Learn more about Sophos Managed Threat Response here:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶

go top