Authorities Arrest Suspected Ukrainian Ransomware Operators


November 28, 2023

World map

Law enforcement agencies from seven nations joined forces with Europol and Eurojust to raid and arrest "key figures” behind significant ransomware operations emanating from Ukraine.

“On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the 32-year-old ringleader. Four of the ringleader's most active accomplices were also detained. The individuals under investigation are believed to be part of a network responsible for a series of high-profile ransomware attacks against organisations in 71 countries,” Europol reports.

“These cyber actors are known for specifically targeting large corporations, effectively bringing their businesses to a standstill. They deployed LockerGoga, MegaCortex, HIVE and Dharma ransomware, among others, to carry out their attacks.”

Takeaway: Strengthening international cooperation in regard to threat intelligence sharing and collective action to bring ransomware and data extortion attackers to justice is certainly welcome news.

Ransomware operators are nothing less than terrorists who prey on the weakest targets with zero conscience - healthcare providers, schools, and regular people from all walks of life who get notification after notification that their personal data compromised in ransomware attacks.

But will arrests of low-level players in the ransomware economy actually work to diminish the threat from ransomware attacks? No, not at all.

While we have seen some arrests here and there of affiliates and other low-level threat actors in the space, none have had any real impact on the burgeoning ransomware threat-scape.

Law enforcement actions against criminal elements are necessary, but even when these threat actors are arrested, there is quickly someone to take their place.  

With ransomware and data extortion attacks being hugely profitable, it’s clear we won’t solve this problem on the attacker side of the equation.  

While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space here and there, overall law enforcement has had very little impact in regard to disrupting ransomware operations.

We have seen some big organizations get hobbled by ransomware attacks. It is demonstrative of the fact that even if an organization has ample resources to stand up a very mature security program, it takes the exploitation of just one unpatched vulnerability to bring them to their knees.

Organizations cannot simply focus on deploying preventative technologies and data backups and expect that to be enough. Threat actors have proven time and again that they can easily bypass or blind Endpoint Protection tools like AV/NGAV/EDR/XDR.  

Organizations have to prepare for the worst-case scenarios in which a ransomware attack is successful, and data has been exfiltrated for added pressure to pay.  

It requires both robust prevention and an agile resilience strategy to defend against this wave of ransomware attacks. This approach includes endpoint protection solutions, patch management, data backups, access controls, and employee awareness training.  

Most important is to test these precautions through regular procedure and resilience testing. Resilience is the key here, and tabletop exercises will help organizations better understand where the gaps in their business continuity plans exist.  

Our advice to organizations is to regularly stress test their defense as well as go through all the motions for remediation and recovery to assure all stakeholders are ready to jump into action when needed - time is critical. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.