{
	"id": "b627a456-7ff9-41e3-bd7d-1803ceabb44c",
	"created_at": "2026-04-06T00:06:18.855Z",
	"updated_at": "2026-04-10T03:21:37.720754Z",
	"deleted_at": null,
	"sha1_hash": "7316b2c523ac1422ca3295aa368145b27224b599",
	"title": "12 targeted for involvement in ransomware attacks against critical infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41926,
	"plain_text": "12 targeted for involvement in ransomware attacks against critical\r\ninfrastructure\r\nBy Europol\r\nPublished: 2021-10-29 · Archived: 2026-04-05 20:40:15 UTC\r\nA total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure\r\nhave been targeted as the result of a law enforcement and judicial operation involving eight countries.\r\nThese attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for\r\nspecifically targeting large corporations, effectively bringing their business to a standstill.\r\nThe actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are\r\nconsidered high-value targets because they are being investigated in multiple high-profile cases in different\r\njurisdictions.\r\nAs the result of the action day, over USD 52 000 in cash was seized, alongside 5 luxury vehicles. A number of\r\nelectronic devices are currently being forensically examined to secure evidence and identify new investigative\r\nleads.\r\nThe ticking time bomb of undetected malware\r\nThe targeted suspects all had different roles in these professional, highly organised criminal organisations. Some\r\nof these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT\r\nnetworks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious\r\nattachments.\r\nOnce on the network, some of these cyber actors would focus on moving laterally, deploying malware such as\r\nTrickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and\r\ngain further access.\r\nThe criminals would then lay undetected in the compromised systems, sometimes for months, probing for more\r\nweaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These\r\ncyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.\r\nThe effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT\r\nnetworks undetected. A ransom note was then presented to the victim, which demanded the victim pay the\r\nattackers in Bitcoin in exchange for decryption keys. \r\nA number of the individuals interrogated are suspected of being in charge of laundering the ransom payments:\r\nthey would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.;\r\nInternational cooperation\r\nhttps://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure\r\nPage 1 of 3\n\nInternational cooperation coordinated by Europol and Eurojust was central in identifying these threat actors as the\r\nvictims were located in different geographical locations around the world.\r\nInitiated by the French authorities, a joint investigation team (JIT) was set up in September 2019 between Norway,\r\nFrance, the United Kingdom and Ukraine with financial support of Eurojust and assistance of both Agencies. The\r\npartners in the JIT have since been working closely together, in parallel with the independent investigations of the\r\nDutch and U.S. authorities, to uncover the actual magnitude and complexity of the criminal activities of these\r\ncyber actors to establish a joint strategy.\r\nEurojust established a coordination centre to facilitate cross-border judicial cooperation during the action day. In\r\npreparation of this, seven coordination meetings were held.\r\nEuropol’s European Cybercrime Centre (EC3) hosted operational meetings, provided digital forensic,\r\ncryptocurrency and malware support and facilitated the information exchange in the framework of the Joint\r\nCybercrime Action Taskforce (J-CAT) hosted at Europol’s headquarters in The Hague.\r\nMore than 50 foreign investigators, including six Europol specialists, were deployed to Ukraine for the action day\r\nto assist the National Police with conducting jointly investigative measures. A Ukrainian cyber police officer was\r\nalso seconded to Europol for two months to prepare for the action day.\r\nThis operation was carried out in the framework of the European Multidisciplinary Platform Against Criminal\r\nThreats (EMPACT).\r\nThe following authorities took part in this operation:\r\nNorway: National Criminal Investigation Service (Kripos)\r\nFrance: Public Prosecutor’s Office of Paris, National Police (Police Nationale - OCLCTIC)\r\nNetherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar\r\nMinisterie)\r\nUkraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine\r\n(Національна поліція України)\r\nUnited Kingdom: Police Scotland, National Crime Agency (NCA)\r\nGermany: Police Headquarters Reutlingen (Polizeipräsidium Reutlingen)\r\nSwitzerland: Federal Police (fedpol), Polizei Basel-Landschaft\r\nUnited States: United States Secret Service (USSS), Federal Bureau of Investigations (FBI) \r\nEuropol: European Cybercrime Centre (EC3)\r\nEurojust \r\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nhttps://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure\r\nPage 2 of 3\n\nSource: https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure\r\nhttps://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure"
	],
	"report_names": [
		"12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7316b2c523ac1422ca3295aa368145b27224b599.pdf",
		"text": "https://archive.orkl.eu/7316b2c523ac1422ca3295aa368145b27224b599.txt",
		"img": "https://archive.orkl.eu/7316b2c523ac1422ca3295aa368145b27224b599.jpg"
	}
}