The cyber attackers in Ukraine thought they were safe for a long time: but on November 21st it was over! A team of global investigators was able to arrest the head of the cyber attack group along with four of the most active helpers. The former HIVE members are said to have encrypted 250 servers of large corporations in recent years, causing damage amounting to several hundred million euros.
The cooperation of Europol and many investigators from Norway, France, Germany and the United States was worthwhile. After the APT group HIVE was dismantled in 2021, investigators did not let up. The success: they caught the cyber gangsters who used the HIVE code and other malware and in this way attacked and encrypted over 250 servers of large companies, causing damage amounting to hundreds of millions of euros.
Former HIVE members arrested in Ukraine
On November 21, 30 properties in the Kiev, Cherkasy, Rivne and Vinnytsia regions were searched, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader's most active accomplices were also arrested. More than 20 investigators from Norway, France, Germany and the United States were deployed to Kyiv to support the Ukrainian National Police in their investigative efforts. This setup was mirrored by Europol headquarters in the Netherlands, where a virtual command post was activated to immediately analyze data seized during house searches in Ukraine.
This latest action follows a first round of arrests in 2021 as part of the same investigation. Since then, several operational sprints have been organized at Europol and in Norway with the aim of forensically analyzing the devices seized in Ukraine in 2021. This forensic follow-up work facilitated the identification of the suspects attacked in the Kiev operation.
Dangerous, undiscovered and versatile
The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organizations in 71 countries. These cyber actors are known for specifically targeting large corporations and effectively paralyzing their businesses. To carry out their attacks, they used ransomware LockerGoga, MegaCortex, HIVE and Dharma, among others.
The suspects had different roles in this criminal organization. Some of them are said to be involved in compromising their targets' IT networks, while others are suspected of being responsible for laundering cryptocurrency payments. The victims had paid the sums in Bitcoin and other means of payment to decrypt their files.
The investigation revealed that the perpetrators encrypted over 250 servers of large corporations, causing damage amounting to several hundred million euros.
International cooperation
At the initiative of the French authorities, a Joint Investigation Team (JIT) was set up between Norway, France, the United Kingdom and Ukraine in September 2019, with financial support from Eurojust and support from both agencies. Since then, the partners in the JIT have been working closely together, in parallel with the independent investigations by the Dutch, German, Swiss and US authorities, to identify and bring to justice the threat actors in Ukraine.
This international cooperation remained steadfast and uninterrupted, even in the face of the challenges posed by the ongoing war in Ukraine. A Ukrainian cyber police officer was initially deployed to Europol for two months to prepare for the first phase of the operation, before being permanently deployed to Europol to facilitate law enforcement cooperation in this area.
Taskforce didn't give up – new decryption tools
From the start of the investigation, Europol's European Cybercrime Center (EC3) hosted operational meetings, provided support in digital forensics, cryptocurrency and malware, and facilitated information sharing through the Joint Cybercrime Action Taskforce (J-CAT), which launched on Europol's headquarters were located there.
The forensic analysis carried out as part of this investigation also enabled the Swiss authorities to develop decryption tools for the LockerGoga and MegaCortex ransomware variants together with No More Ransom partners and Bitdefender. These decryption tools are available for free at www.nomoreransom.org.
More at Europol.Europa.eu