Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

What is the Ragnar ransomware group?

Ragnar a.k.a.Ragnar_Locker or RagnarLocker is a cyber extortion gang that runs ransomware attacks on corporations. Doble extortion, ransom sum negotiated on the Darknet page – quite common practices among modern hacker groups. However, the gang is not likely to operate on the Ransomware-as-a-Service model – the one that is used by the vast majority of other gangs.

Key attack vectors used by these hackers consist of exploiting vulnerabilities in network protocols or cloud applications. Additionally, Ragnar is known for cooperating with cybercriminals who provide initial access. During their attack, ransomware deployment is not mandatory – there were cases when the attack was only about data exfiltration.

But why did law enforcement pay so much attention to RagnarLocker? Well, the answer becomes obvious when you have a look at the victims of this ransomware. Capcom, Campari, City of Antwerp, Energias de Portugal, ADATA – these and numerous other companies/municipalities were struck. It was not just about spooking small companies – they were regularly opting for serious targets.

RagnarLocker Shut Down By the FBI & European Law Enforcement

On October 19, Europol claimed the disruption of Ragnar Locker ransomware operations as the result of a successful operation. The latter consisted of locating and seizing the servers which belonged to the ransomware gang. This method repeats the one used by the FBI in the operation Duck Hunt, that took down the entire QakBot botnet in late August 2023.

Another similar event occurred days ago, when the Ukrainian Cyber Alliance wiped the network infrastructure of Trigona Ransomware. As I said in the introduction, this appears to be a new trend. And its adoption is understandable – it is much faster and still effective compared to detaining the key actors of the organised crime gang.

Currently, the visible effect of the infrastructure takedown is the banner on the Darknet negotiation site of RagnarLocker. Taking hands on the network infrastructure means not only making malware operations impossible. Most likely, all the decryption keys, along with the decryptor utilities hackers were offering for hundreds of thousands of dollars, are now in hands of law enforcement.

Is this the Ragnarok for Ragnar Locker?

The effect from complete confiscation of network infrastructure is hard to underestimate. Even though threat actors are not detained and can keep working, there is a lot of work to recover the servers. Moreover, the funding during this recovery is questionable – law enforcement could have accessed hackers’ crypto wallets as well.

My guess is that group members will simply move to other ransomware gangs, abandoning their own one. RagnarLocker never showed its passion towards the brand name, so there won’t be many stopping factors against this step. Though, we haven’t seen “full-fledged” gang dissolutions since Conti shutdown in 2022. Maybe, it will be different this time?

The post Ragnar Locker Ransomware Shutdown, Infrastructure Seized appeared first on Gridinsoft Blog.

Let me remind you that we wrote that Ukrainian Law Enforcers Arrested Hackers Who Sold More Than 30 Million Accounts, and also that Ukrainian law enforcement officers arrested members of the hacker group Phoenix.

Fraudsters operated call centers and offices in Germany, Spain, Latvia, Finland, Albania, and Ukraine and forced their victims to make fake investments.

The publication Bleeping Computer says that the criminals have created an extensive network of fake sites disguised as resources for investors in cryptocurrencies, stocks, bonds, futures, and options. The scammers pretended that the investments were profitable for the investors, convincing the victims that they could make a quick profit and tricking them into investing even more.

In fact, neither the investment nor the “profit” could be withdrawn from the fraudulent platforms, and by the time the victims realized what was happening, they were already losing huge sums.

The FBI recently warned about this type of fraud, calling such attacks “pig butchering“. Law enforcers wrote that this is a very profitable scheme used by scammers around the world.

The FBI explained that scammers use social engineering and get in touch with people (“pigs”) on social networks. Over time, perpetrators gain the trust of victims by faking friendship or romantic interest, and sometimes even posing as real friends of the target. Then, at some point, the criminals offer the victim to invest in cryptocurrency, for which the target is directed to a fake site. As mentioned above, it is impossible to return funds and receive fake “income” from such a resource.

These scams can last for months, and the victims give the scammers huge sums (from thousands to millions of dollars) before realizing they have been scammed. For example, Forbes recently reported on a 52-year-old man from San Francisco who lost about a million dollars due to “slaughtering pigs.” In this case, the scammers pretended to be an old colleague of the victim.

According to a Ukrainian cyber police statement, the criminal group has hired more than 2,000 people in its call centers, luring victims to fraudulent websites. There were three call centers located in the territory of Ukraine, and five people detained by the police were allegedly the organizers of local operations. It is reported that during the searches conducted in Kyiv and Ivano-Frankivsk, more than 500 pieces of computer equipment and mobile phones were seized.

The detainees will be charged with fraud, which is punishable by up to eight years in prison.

But cyber scammers do not live by slaughtering pigs alone, for example, the media recently reported that the Cyber Police of Ukraine had neutralized a large phishing service, which operators’ attacked banks in eleven countries.

The post Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Fake Investments appeared first on Gridinsoft Blog.

Belgium and the Netherlands have conducted a Europol-supported operation to neutralize a group of cybercriminals. Malefactors made millions of euros with phishing and other fraudulent schemes.

The operation was carried out by Belgium and Netherlands police with the support of Europol. The Dutch police have arrested nine people aged between 25 and 36, eight men and a woman. The authorities have also searched 24 houses throughout the country.

The police have confiscated firearms, electronic devices, jewelry, and cryptocurrency from the suspects. The Belgian authorities initially started the investigation, so the individuals arrested in the Netherlands will be extradited to Belgium.

According to the police evidence, the suspects did phishing and other Internet scams that allowed them to make millions of euros. Cybercriminals sent emails, text messages, and WhatsApp messages to their victims. The SMS and letters contained a link to a spoofed bank website made for collecting users’ credentials. After getting these data, the crooks gained access to their victims’ bank accounts.

Europol report states that the frauds used mules to transfer and cash out funds from the victim’s accounts. The gang members have also turned out to be connected to illegal firearms and drug trafficking.

The post Nine Web Scammers Arrested by Dutch Police in a Europol Operation appeared first on Gridinsoft Blog.

Let me remind you that we also talked about the fact that Law enforcement officers closed the hacker resource RaidForums, and also that the US authorities arrest Kaseya hacker and attacker associated with REvil and GandCrab.

11 countries participated in the FluBot malware eradication operation.

According to law enforcers, FluBot actively spread via text messages, stealing passwords, bank details and other confidential information from infected smartphones. The infrastructure supporting the Trojan was destroyed by the Dutch police in May, leaving the malware inactive, Europol reports.

FluBot was first seen in December 2020, when the malware swept the world in a wave, hacking into millions of devices. The Trojan’s hallmark was its method of distribution – harmless SMS messages. In them, the victim was asked to follow a link and install and install an application to track packages or listen to a fake voice message.

After installation, FluBot requested permission to access device data. Once they gained access, the hackers stole the credentials of the victims’ banking applications and cryptocurrency accounts, and then disabled the built-in security mechanisms.

Since the malware could access the contact list, it spreadsg like a natural disaster, sending messages with links to FluBot to all the victim’s contacts.

According to Europol, experts are still looking for attackers who distributed FluBot around the world.

Recall that not so long ago a wave of FluBot infections took place in Finland. Within 24 hours, the malware managed to infect the devices of tens of thousands of victims.

The post Europol and Intelligence Agencies of 11 Countries Destroyed the FluBot Trojan Infrastructure appeared first on Gridinsoft Blog.

The operation was reportedly prepared by the authorities of the United States, Great Britain, Sweden, Germany, Portugal and Romania for more than a year.

The US Department of Justice writes that the site administrator, known by the nickname Omnipotent, was arrested on January 31, 2022 in the UK, and he has already been charged. He was in custody from the time of his arrest until the completion of the extradition proceedings.

Since 21-year-old Portuguese citizen Diogo Santos Coelho was hiding behind the pseudonym Omnipotent, it turns out that he launched RaidForums when he was 14 years old, since the site has been running since 2015.

Law enforcers seized the domains hosting RaidForums: raidforums.com, rf.ws and raid.lol.

According to statistics from the US Department of Justice, in total, more than 10 billion unique records from hundreds of hacked databases were put up for sale on the marketplace, including those affecting people living in the United States. In turn, Europol reports that RaidForums had more than 500,000 users and was “one of the largest hacker forums in the world.” It is worth adding here that we are talking about English-language resources.

It is not yet known how long the investigation took overall, but law enforcement seems to have managed to get a pretty clear picture of the RaidForums hierarchy. The Europol press released notes that the people who supported the work of RaidForums were engaged in administration, money laundering, stolen and uploaded data to the site, and also bought stolen information.

At the same time, Diogo Santos Coelho, mentioned above, allegedly controlled RaidForums from January 1, 2015, that is, from the very beginning, and managed the site with the support of several administrators, organizing a structure to promote the purchase and sale of stolen data. To make a profit, the forum charged users for various membership levels and sold credits that allowed members to gain access to more privileged areas of the site or to stolen data posted on the forum.

Coelho also acted as an intermediary and guarantor between the parties, making transactions, undertaking to see that buyers and sellers would honor the agreements.

Bleeping Computer writes that back in February 2022, criminals and security researchers suspected that RaidForums had been taken over by law enforcement, as the site began displaying a login form on every page. When trying to enter the site, it simply showed the login page again, and many suspected that the site was taken over and this was a phishing attack by law enforcement agencies who are trying to get the attackers’ credentials.

On February 27, 2022, the raidforums.com DNS servers changed completely to jocelyn.ns.cloudflare.com and plato.ns.cloudflare.com, which only convinced the hackers that they were right. The fact is that in the past these DNS servers were used by other sites seized by the authorities, including weleakinfo.com and doublevpn.com.

RaidForums, which appeared back in 2015, has recently become widely known due to ransomware operators who leaked data stolen from victims to the site in order to force them to pay a ransom. For example, this tactic was previously used by Babuk and Lapsus$ operators.

However, earlier, when the resource was not so popular, its community specialized in swatting, as well as raiding, which The US Department of Justice describes it as “publishing or sending a huge number of contacts to the online medium that the victim uses to communicate.”

In recent years, the marketplace has been a favorite place for hackers to sell stolen databases or simply share them for free with other forum members.

Let me remind you that we also talked about the fact that Hydra Market Shut Down by the German Authorities.

The post Law enforcement officers closed the hacker resource RaidForums appeared first on Gridinsoft Blog.

A press release from the Ukrainian cyber police states that the authorities have arrested a 25-year-old resident of Kiev. Searches were carried out at the place of residence of the suspect and in the homes of his relatives, as a result of which computer equipment, mobile phones, vehicles, more than $ 360,000 in cash were seized, and about $1.3 million in cryptocurrency were blocked.

In turn, Europol reports the arrest of two hackers who have been active since April 2020. At the same time, it is emphasized that this group “is known for its extortionate demands for a ransom from 5 to 70 million euros.”

Due to the mention of such large ransom amounts, some information security experts suggested that two suspects may be associated with the ransomware group REvil.

Let me remind you that the Cyber Police of Ukraine arrested persons linked with the Clop ransomware.

The post Ukrainian cyber police arrested ransomware operators who “earned” $150 million appeared first on Gridinsoft Blog.

By 2025, next-generation technologies such as ubiquitous connectivity, artificial intelligence, quantum computing or new approaches to identity and access management could overwhelm the defences and lead to a global cyber pandemic, experts at the World Economic Forum’s Cybersecurity Centre predict.

The World Economic Forum’s Centre for Cybersecurity has created a community of security and technology leaders to identify future global risks from next-generation technology in order to avert a cyber pandemic.

In this regard, the WEF, together with the Oxford Martin School at the University of Oxford, launched an initiative called Future Series: Cybercrime 2025, the main goal of which is to identify the approaches required to manage cyber risks associated with major technology trends.

More than 150 global cybersecurity experts from information security companies, research institutions and other organizations, including Palo Alto Networks, Mastercard, KPMG, Europol, ENISA and NIST, are involved in the program.

There is already a global capacity gap in cybersecurity (professionals and all personnel), and as new technologies emerge, the cybersecurity skills gap will widen.

Among the recommended approaches, the WEF lists reducing the global capacity gap in cybersecurity, creating a workforce, and moving away from fragmented approaches to cybersecurity that lead to interdependencies and confusion of policies and technologies.

If you want to be afraid the future even more, read our post: Apocalypse Now: experts presented a new type of cyber-biological attack.

The post WEF warned of impending cyber pandemic appeared first on Gridinsoft Blog.