Global Alliance Takes Down Notorious Ukrainian Ransomware

Law enforcement and judicial authorities from seven countries, including Norway, France, Germany, the United States, the Netherlands, Switzerland, and the United Kingdom, have successfully collaborated with Europol and Eurojust to dismantle a notorious ransomware group operating out of Ukraine. This operation, which unfolded amidst the country’s ongoing struggles with Russia’s military aggression, targeted key figures behind high-profile ransomware attacks responsible for losses amounting to hundreds of millions of euros.

The operation, executed on November 21, involved the search of 30 properties in Kyiv, Cherkasy, Rivne, and Vinnytsia, leading to the arrest of a 32-year-old ringleader. Additionally, four of the ringleader’s most active accomplices were apprehended. The international effort showcased solidarity in combating cyber threats at a time when Ukraine faces multifaceted challenges.

Over 20 investigators from Norway, France, Germany, and the United States were deployed to Kyiv to collaborate with the Ukrainian National Police in executing investigative measures. Simultaneously, Europol’s headquarters in the Netherlands activated a virtual command post to analyze the data seized during the house searches in Ukraine.

This recent action follows a series of arrests in 2021 under the same investigation, with subsequent operational sprints organized by Europol and Norwegian authorities to forensically analyze devices seized in Ukraine. The forensic follow-up work played a crucial role in identifying the suspects targeted in the recent operation in Kyiv.

The individuals under investigation are linked to a network responsible for high-profile ransomware attacks affecting organizations in 71 countries. Notorious for targeting large corporations, the cyber actors deployed various ransomware strains, including LockerGoga, MegaCortex, HIVE, and Dharma, effectively crippling businesses.

The suspects played diverse roles within the criminal organization, with some compromising IT networks, while others were involved in laundering cryptocurrency payments made by victims to decrypt their files. Their techniques included brute force attacks, SQL injections, and phishing emails with malicious attachments to steal credentials. Once inside the networks, the attackers used tools such as TrickBot malware, Cobalt Strike, and PowerShell Empire to compromise systems before triggering ransomware attacks.

The investigation revealed that the perpetrators encrypted over 250 servers of large corporations, resulting in losses exceeding several hundreds of millions of euros.

Initiated by the French authorities in September 2019, a Joint Investigation Team (JIT) was established, comprising of Norway, France, the United Kingdom, and Ukraine, with support from Eurojust. Despite the ongoing war in Ukraine, international cooperation remained unwavering, with agencies from the Netherlands, Germany, Switzerland, and the United States conducting parallel investigations.

A Ukrainian cyber police officer played a pivotal role, initially seconded to Europol for two months to prepare for the operation before being permanently deployed to facilitate ongoing law enforcement cooperation. Europol’s European Cybercrime Centre (EC3) hosted operational meetings, providing support for digital forensics, cryptocurrency, and malware. Eurojust facilitated communication and judicial cooperation through twelve coordination meetings.

Notably, the forensic analysis conducted in this investigation enabled Swiss authorities, in collaboration with No More Ransom partners and Bitdefender, to develop decryption tools for LockerGoga and MegaCortex ransomware variants, available for free on

The dismantlement of this ransomware group highlights the power of international collaboration in the face of cyber threats, showcasing the resilience and determination of global law enforcement agencies to protect businesses and individuals from the devastating impact of cybercrime.