Europol, the European police agency, announced today the arrests of 12 people involved in ransomware activities across the world. The alleged cybercriminals are believed to have affected over 1,800 victims in 71 countries according to Europol’s press release; those victims are mostly large corporations and critical infrastructures. Norwegian National Criminal Investigation Service, commonly known as Kripos, communicated and reported that one of the victims was Hydro, back in March 2019.
The operation took place on Oct. 26 in Ukraine and Switzerland. In addition to the arrests, law enforcement seized five luxury vehicles, over $52,000 and electronic devices that will be analyzed forensically to add to the investigation and possibly bring new investigations.
SEE: Checklist: Securing digital information (TechRepublic Premium)
The cybercriminal suspects and their methods
Ransomware fraud needs cybercriminals to have different roles, as ransomware groups are highly organized criminal organizations. The 12 people involved indeed showed various capabilities: penetration testing skills for compromising the targeted corporations via brute-force attacks, SQL injections, launching phishing email campaigns and stealing credentials to further compromise systems.
Europol reported that some of the alleged suspects have been using the post-exploitation framework Cobalt Strike and deploying malware such as the infamous Trickbot, in an attempt to stay undetected and escalate their privileges in the targeted systems.
They would then probe the computer network environment before reaching the next stage: deploying the ransomware. LockerGoga, MegaCortex and Dharma ransomware have been used in this case, among others.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
At this stage, they allegedly present a ransom note to the targeted company, which demands payment in Bitcoin cryptocurrency in exchange for the proper decryption keys needed to unlock the ransomed files and render them usable again.
The impact on corporations is severe. As a striking example, the attack targeting Norwegian company Hydro in 2019, which did not pay the ransom, had an estimated cost of about $52 million.
A joint effort from eight countries
These arrests are the joint efforts of eight countries: France, Germany, the Netherlands, Norway, Switzerland, Ukraine, the United Kingdom and the United States.
A joint investigation team was set up in September 2019, initiated by French authorities, between France, Norway, United Kingdom and Ukraine. The JIT has then worked together in parallel on independent investigations of the authorities in the U.S. and the Netherlands to uncover the criminal activities of these suspects and establish a joint strategy.
The operation was coordinated by Europol and Eurojust, the European Agency for Criminal Justice, because victims were spread all around the world. It was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats.
EMPACT is a permanent security initiative driven by EU member states. Its goal is to identify, prioritize and address threats (including cybercrime) posed by organized international crime.
More to come with these investigations?
Ongoing investigations are still running, which consists mostly of doing computer forensics investigations on the seized electronic devices, and the large amount of data that are secured in connection with the operation.
Håvard Aalmo, head of the section for computer crime at Kripos, said that such an operation, which is meticulous and painstaking, shows it’s possible to proceed with a report of such attacks, as Hydro did.
SEE: How to prepare your team to address a significant security issue (TechRepublic)
Aalmo added that this type of crime must be solved through international police cooperation. This group has targeted businesses in 71 countries, in which they do not need to be to carry out these attacks. Thus, the police must cooperate across national borders.
Ransomware activity more and more exposed
A few days ago, law enforcement officials and cyber specialists hacked into REvil’s network. That ransomware group was “top of the list” according to Tom Kellerman, adviser to the U.S. Secret Service on cybercrime investigations and head of cybersecurity strategy at VMware. Over the second quarter of the year, 73% of ransomware detections were related to the REvil/Sodinokibi family, according to McAfee’s latest Advanced Threat Research Report.
Previously this month, the White House held a summit with more than 30 countries to address the difficult ransomware crime type, recognizing the need for urgent action against this kind of threat. Also, the need for more collaboration between governments and private businesses has been raised.
Recommendations for how to detect and prevent ransomware
Use multi-factor authentication whenever possible. As cybercriminals often gain access to a system by gaining legitimate user credentials, MFA can help protect the system by forbidding the criminals to log in using a legitimate user account.
Don’t let sensitive data be accessible via the internet. Data isolation is important and needs to be done continuously.
Have a safe backup system for all important data. Also remember that attackers often deactivate backup systems before attacking, so any change to the backup politics need to raise alerts to the security staff.
Make sure all your applications and assets are up to date, and apply patches as fast as possible to avoid being victimized via a software vulnerability.
Work with a zero-trust strategy. Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. It helps to enforce least privilege access across all applications, cloud platforms, systems and databases.
Audit your system for vulnerabilities to help ensure that cybercriminals will not use any easy software or misconfiguration to penetrate the corporation.
Raise employees’ awareness by running security campaigns to educate them, and focus on phishing emails, since it is one of the most common way to initially compromise a system.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.