Europol detains hackers behind 2019 Norsk Hydro ransomware attack

Europol and its law enforcement partners have disrupted a network of organized cybercriminals behind a string of ransomware attacks that has claimed more than 1,800 victims across 71 countries since 2019.

The EU’s police agency said on Friday that 12 individuals had been “targeted” in raids in Ukraine and Switzerland this week following a two-year investigation. The agency didn’t say whether these individuals had been arrested or charged, and has yet to respond to our request for more information.

The unnamed individuals were “known for specifically targeting large corporations, effectively bringing their business to a standstill,” Europol said. One of the ransomware strains the group used was LockerGoga, the same strain used in the attack against Norwegian aluminum processor Norsk Hydro in March 2019. The cyberattack forced the company’s plants across two continents to stop production for almost a week and cost Norsk Hydro more than $50 million.

In a separate press release, Norway’s National Criminal Investigation Service, commonly known as Kripos, confirmed that the targeted individuals were responsible for the Norsk Hydro attack.

Europol said the hackers also deployed the ransomware MegaCortex and Dharma, as well as malware like TrickBot and post-exploitation tools including Cobalt Strike and PowerShell Empire, to stay undetected and gain further access. “The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetizing the infection by deploying a ransomware,” Europol said.

It’s unclear how much money the criminals made through their attacks, though Europol said it seized $52,000 in cash and five luxury vehicles.

“Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,” Europol said. “The targeted suspects all had different roles in these professional, highly organized criminal organizations.”

Europol added that a number of the individuals are suspected of being in charge of laundering the ransom payments: “They would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains,” Europol said.

Europol said law enforcement agencies from Norway, France, the U.K., Switzerland, Germany, Ukraine, the Netherlands and the U.S. participated in this week’s operation, with more than 50 foreign investigators deployed to Ukraine on October 26 to target the cybercriminals.