• Hackers caught

    From Digimaus@618:618/1 to All on Wednesday, November 29, 2023 14:30:25
    From: https://tinyurl.com/3muv2d3v (theregister.com)

    ===
    Europol shutters ransomware operation with kingpin arrests

    A few low-level stragglers remain on the loose, but biggest fish have
    been hooked

    Connor Jones
    Tue 28 Nov 2023 // 13:45 UTC

    International law enforcement investigators have made a number of
    high-profile arrests after tracking a major cybercrime group for more than
    four years.

    A joint investigation team (JIT), spearheaded by French authorities,
    formed in 2019 to bring down a ransomware group linked to major attacks
    across the world.

    Announcing the news today, Europol said that five individuals were
    arrested, including the 32-year-old leader of the group and four of its
    "most active accomplices."

    Thirty properties in Ukraine were raided on November 21 across the Kyiv,
    Cherkasy, Rivne, and Vinnytsia regions. A virtual command post was also
    established in Europol's Netherlands headquarters where data taken from
    the property raids was analyzed "immediately."

    Ukrainian National Police raid properties in search for the
    cybercriminals. Image courtesy of Europol.

    Ukrainian National Police raid properties in search of the cybercriminals.
    Image courtesy of Europol

    Europol said today in a press release that the arrests led to the
    "dismantlement" of the group.

    However, a spokesperson told The Register that "there are still a few
    members which are being sought after, but they're of lesser importance."

    The arrests follow 12 that were made in 2021, two years after the JIT was
    first assembled. Members of the same group were arrested in Ukraine and
    Switzerland, and key electronic devices were seized for forensic analysis,
    along with $52,000 in cash and five luxury vehicles.

    The seizure of the electronic devices and their subsequent analysis led to
    the identification of the key members arrested last week.

    Europol said "a number of operational sprints [had] been organized,"
    heavily involving the Norwegian authorities over the past two years to
    analyze the devices.

    Asked why the arrests have come so long after the initial seizure, a
    spokesperson told The Register that it takes time to gather enough
    evidence to prosecute cybercriminals.

    "As always with investigations as well, there's a strategy to try, we
    might have identified these members, but we were continuing to build the
    picture," they said.

    "Whenever you do all the forensic work, you uncover other leads, but open
    up the investigation that feeds into other existing investigations. That's
    why we were only able to do the second round of actions now."

    Also contributing to the two-year delay was the war in Ukraine starting in
    2022, shortly after the seizures were made. Europol believes this didn't
    slow investigations down at all, but the operation had to be reorganized.

    Who's been cuffed?

    The names of those arrested have not been released and the ransomware
    group itself doesn't behave like LockBit, AlphV/BlackCat or Rhysida. The
    cybercriminals were well-resourced and used multiple different strains to
    attack their targets.

    These included LockerGoga, MegaCortex, Hive, and Dharma. Europol said the
    group had attacked more than 250 servers belonging to organizations in 71
    countries, netting the group hundreds of millions of euros in the process.

    The group isn't tracked with a moniker, as many repeat offenders are, but
    it is responsible for major historical attacks, perhaps most notably the
    ransomware incident at Norsk Hydro.

    It was also responsible for the attack on French consultancy Altran, which
    is now known as Capgemini Engineering following a 2019 acquisition.

    The spokesperson said the arrested cybercriminals were not core members of
    any of the organizations behind the ransomware strains they used. However,
    they were on the radar of law enforcement for their involvement in
    numerous other incidents under separate investigations.

    Members all had different roles within the group. Some were responsible
    for the actual intrusion into victims' systems, while others specialized
    in areas such as money laundering - a branch of ransomware operations
    that's also under close examination by global authorities.

    "Those responsible for breaking into networks did so through techniques
    including brute force attacks, SQL injections, and sending phishing emails
    with malicious attachments in order to steal usernames and passwords,"
    Europol said.

    "Once inside the networks, the attackers remained undetected and gained
    additional access using tools including TrickBot malware, Cobalt Strike,
    and PowerShell Empire, in order to compromise as many systems as possible
    before triggering ransomware attacks." (R)
    ===

    -- Sean

    ... Eyes hurt from excess screen time? There's a nap for that.
    --- MultiMail/Win v0.52
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)