The Ukrainian and French police, supported by the FBI, have led coordinated raids in Ukraine that have resulted in the arrest of two "prolific ransomware" operators and the seizure of cash, cars, and cryptocurrency.
Victims had suffered over $150 million in damages, Ukrainian police said.
Europol, which was also involved in the action, did not name the ransomware group in question. A Europol press officer said: "If the info is not included in our press release, there’s a(n operational) reason why. Believe me, every word in our PRs is carefully chosen/negotiated!"
"The organised crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting their files" Europol said.
A video from the National Police of Ukraine shows armed officers knocking politely at the door of the building in question, before being buzzed in. Once inside, they seized $375 000 in cash, two luxury vehicles worth €217,000, and froze cryptocurrency assets worth $1.3 million; likely a fraction of the two's earnings.
The raid, which also involved Interpol and EUROPOL, comes four months after Ukrainian, South Korean, and US law enforcement authorities said that they had arrested the cybercriminals behind the Clop ransomware attacks on the University of California and scores of other US and South Korean companies; arresting six.
The ransomware world is a notoriously fluid one and something of a many-headed hydra; coordinated actions like this can yield important intelligence for law enforcement agencies however. Ransomware generated $350 million in 2020, according to Chainalysis, a 311% increase over the previous year.
On Tuesday, September 21, meanwhile, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) released a new advisory [pdf] on the sanctions risks associated with facilitating ransomware payments.
While not explicitly criminalising ransom payments, it did emphasise that it "may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations", pointing to a string of recent indictments against cybercriminals and associated sanctions against them.
"Meaningful steps taken to reduce the risk of extortion by a sanctioned actor through adopting or improving cybersecurity practices, such as those highlighted in the Cybersecurity and Infrastructure Security Agency’s (CISA) September 2020 Ransomware Guide, will be considered a significant mitigating factor in any... enforcement response," it added.
"Such steps could include maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employin authentication protocols, among others."