In the relatively short history of ransomware crime, very few of the professional criminals behind these attacks have ever been brought to justice.
So many crimes, so few arrests, and there’s no mystery as to why: Ransomware criminals typically operate from countries with weak or no laws against what they do, and sometimes (stand up, Russia) with what can only reasonably be interpreted as the tacit approval of the government itself.
Ringleader Arrest
This should make Europol’s announcement on Nov. 21 that it arrested the 32-year old alleged “ringleader” of a major ransomware operation a notable and welcome exception to the normal course of events.
As you read deeper, you realize that this was not a small operation. In total, 30 properties were raised across Ukraine’s capital Kiev in an operation deemed sufficiently important that 20 investigators from Norway, France, Germany and the United States were sent to the country to assist.
Despite the operation taking place in Ukraine, an interesting detail is that both the leader of the alleged ransomware group and four accomplices also arrested were said to be Russian speakers. That doesn’t mean they’re Russian nationals, but the language connection to the country still isn’t a surprise.
Affiliates Not Developers
Of more significance is what these individuals are accused of doing. As Europol lays out the charge sheet:
“These cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, Hive, and Dharma ransomware, among others, to carry out their attacks.”
LockerGoga, MegaCortex, HIVE, and Dharma, of course, are some of the most active ransomware families of recent times, even if Hive was disrupted in a U.S.-German operation in 2022.
The alleged attacks were hugely successful, allegedly encrypting over 250 servers belonging to different organizations, resulting in ransoms of hundreds of millions of dollars being paid, Europol said.
That sounds huge, indeed is huge—it’s likely this group was behind some of the largest attacks of the last three years—but do the arrests hold as much long-term significance as this suggests?
Europol hasn’t revealed their identities, but it’s likely those arrested were connected to a ransomware affiliate. This isn’t the same as arresting the people responsible for developing the ransomware or making it available through Ransom-as-a-Service (RaaS) platforms.
It’s a critical distinction—these people were making money (granted, a lot of it) by using ransomware but were not the ones creating it.
Europol has already said that the latest raid is the result of intelligence gathered during an October 2021 raid in which 12 people were arrested for alleged attacks on 1,800 victims in 71 countries using almost the same types of ransomware.
In other words, in two raids the police have disrupted the affiliates responsible for a large number of attacks. What they haven’t disrupted are the gangs who build the underlying platforms. That means, frustratingly, there is little beyond some basic hacking knowledge to stop new affiliates stepping into the gap left by those arrested and carrying out new attacks with the same malware.