Police take a piece out of a ransomware gang, but won’t say which one

One of the world’s ransomware groups appears to be a couple of members short today—and about two million dollars less rich—but nobody is sure which one. Police are staying tight-lipped about who’s short-handed following the arrest of two individuals in Kyiv, Ukraine. The arrests are part of a joint operation by the FBI, the French National Gendarmerie, and the Ukrainian National Police.

What little we do know comes by way of a terse Europol press release—which says that police seized $375,000 in cash, a further $1.3 million in cryptocurrencies and two “luxury vehicles”—and a press release and video by Ukrainian police.

The video shows police searching a surprisingly clean and tidy apartment. Among the usual ransomware gang paraphernalia of mobile phones, laptops, a fancy-pants computer “rig”, gaming chairs, and wads of cash, we also get a peak at some of the more surprising and mundane aspects of life as (or perhaps with) a modern day digital criminal. The video reveals enough flowers and little gift boxes to suggest it was a special day for somebody, as well as the occupants’ fondness for both Capri Sun, and brands like Louis Vuitton and Senso.

Laptops and flowers
The police video suggests somebody’s special day didn’t go as well as they’d hoped

Of course what we really want to know is which ransomware group has taken a hit. There, we’re getting only crumbs from the police and guesswork from Twitter sleuths. Europol has divulged that the people arrested belong to an organised crime group “suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards.” It says the criminals “would deploy malware and steal sensitive data from these companies, before encrypting their files”, a fairly vanilla description of modern-day ransomware. It describes the people arrested as “two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million)”.

The individuals could belong to one of the well known ransomware groups, but it’s worth remembering that lots of ransomware is operated “as a service”, by affiliates. In either case, it’s fair to say that others will be along shortly to fill the void they leave, should those arrested be required to occupy a jail cell.

Europol says it helped the joint operation with analytical, malware, forensic, and crypto-tracing support. The last item is the least surprising on the list. The modern ransomware phenomenon is entirely reliant on cryptocurrencies like Bitcoin, and many observers have identified it as ransomware’s Achilles heel.

Why? Because cryptocurrency payments are very public. While the identities of payers and payees are hidden behind pseudonymous IDs, the actual payments happen in broad daylight and are recorded forever in giant distributed databases called blockchains. If real people can be linked to those IDs, then their role in ransomware transactions can be revealed.

A few years ago, we were all fond of describing the analysis of relationships in very large databases as Big Data, and the Bitcoin blockchain is the biggest of Big Data. It contains every transaction ever made with the cryptocurrency, nothing can ever be removed from it, anyone can own a copy, and law enforcement’s ability to analyse the patterns within it improve with time, and every additional payment.

The US government has been turning up the heat on ransomware gangs this year and has been quite open about its intention to follow the money. So it won’t surprise you to learn that one of the people arrested in this recent raid is believed to be involved in money laundering. And no surprise that a similar raid against the Clop ransomware gang earlier this year that was also carried out by police in Ukraine, also in the area of Kyiv, also targeted the gang’s money laundering operation.