{ "id": "628fe41a-b6ef-47d7-9ca1-0d4db8d09458", "created_at": "2026-04-06T00:14:13.622989Z", "updated_at": "2026-04-10T13:12:28.932667Z", "deleted_at": null, "sha1_hash": "36ba7b0111c52aa8ddaa055e6e10c1a20a58c2b7", "title": "Europol detains suspects behind LockerGoga, MegaCortex, and Dharma ransomware attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 86340, "plain_text": "Europol detains suspects behind LockerGoga, MegaCortex, and\r\nDharma ransomware attacks\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-18 · Archived: 2026-04-05 16:11:28 UTC\r\nEuropol said it detained 12 suspects this week it believes were part of a professional criminal group that\r\norchestrated a long string of ransomware attacks that targeted large companies and which hit more than\r\n1,800 victims across 71 countries since 2019.\r\nThe suspects were detained on Tuesday, October 26, in Ukraine and Switzerland.\r\n\"Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions,\" Europol said in a press release today.\r\n\"Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT\r\nnetworks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious\r\nattachments,\" the agency said.\r\nOnce inside a network, Europol said the group would spend months probing for weaknesses in order to move\r\nlaterally across the network and expand their access.\r\nThe group would often deploy malware such as TrickBot, or post-exploitation frameworks such as Cobalt Strike\r\nor PowerShell Empire, to stay undetected and gain further access.\r\nThe group appears to have been an affiliate for multiple Ransomware-as-a-Service (RaaS) platforms, having used\r\ndifferent ransomware families, such as LockerGoga, MegaCortex, and Dharma.\r\nEuropol said that some of this week's arrests also included individuals who helped the group launder ransom\r\npayments once a victim had paid.\r\nGroup linked to Norsk Hydro attack\r\nAccording to a press release from Kripos, the criminal investigation division of Norwegian police, the 12 suspects\r\nare believed to have orchestrated the ransomware attack on Norwegian aluminum processor Norsk Hydro in\r\nMarch 2019, a ransomware attack that forced the company's factories across two continents to stop production for\r\nalmost a week.\r\nEuropol said law enforcement agencies from Norway, France, the UK, Switzerland, Germany, Ukraine, the\r\nNetherlands, and the US participated in this week's arrests and investigation.\r\n\"More than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the action\r\nday to assist the National Police with conducting jointly investigative measures. A Ukrainian cyber police officer\r\nwas also seconded to Europol for two months to prepare for the action day,\" Europol said.\r\nhttps://therecord.media/europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks/\r\nPage 1 of 2\n\nThis week's arrests come after two ransomware operators were also detained in Ukraine three weeks before, at the\r\nstart of the month, and six suspects who laundered money for the Clop ransomware group were detained in June,\r\nalso in Ukraine.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks/\r\nhttps://therecord.media/europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks/" ], "report_names": [ "europol-detains-suspects-behind-lockergoga-megacortex-and-dharma-ransomware-attacks" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775826748, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36ba7b0111c52aa8ddaa055e6e10c1a20a58c2b7.pdf", "text": "https://archive.orkl.eu/36ba7b0111c52aa8ddaa055e6e10c1a20a58c2b7.txt", "img": "https://archive.orkl.eu/36ba7b0111c52aa8ddaa055e6e10c1a20a58c2b7.jpg" } }