From the warm-and-fuzzy information comes this feel-good Friday put up, chronicling this week’s takedown of two hated ransomware teams. One vanished on Tuesday, allegedly after being hacked by a gaggle claiming allegiance to Ukraine. The different was taken out a day later due to a global police dragnet.
The first group, calling itself Trigona, noticed the content material on its darkish internet sufferer naming-and-shaming web site pulled down and changed with a banner proclaiming: “Trigona is gone! The servers of Trigona ransomware gang has been infiltrated and wiped out.” An outfit calling itself Ukrainian Cyber Alliance took credit score and included the tagline: “disrupting Russian criminal enterprises (both public and private) since 2014.”
Poor operational safety
A social media put up from a person claiming to be a Ukrainian Cyber Alliance press secretary mentioned his group focused ransomware teams partly as a result of they think about themselves out of attain of Western legislation enforcement.
“We just found one gang like that and did to them as they do to the rest,” the press secretary wrote. “Downloaded their servers (ten of them), deleted everything and defaced for the last time. TOR didn’t help them or even knowing they had a hole in it. Their entire infrastructure is completely blown away. Such a hunt forward.’”
A separate social media post dumped what the press secretary mentioned was an administrative panel key and mentioned the group worn out Trigona’s “landing, blog, leaks site, internal server (rocketchat, atlassian), wallets and dev servers.” The particular person additionally claimed that the Ukrainian Cyber Alliance hacked a Confluence server Trigona used.
By Friday, the Trigona web site was unavailable, as evidenced by the message “Onionsite not found.”
Trigona first surfaced in 2022 with shut ties to ransomware teams often called CryLock and BlackCat and looser ties to ALPHV. It primarily hacked corporations in the US and India, adopted by Israel, Turkey, Brazil, and Italy. It was recognized for compromising MYSQL servers, usually by brute forcing passwords. A June profile of the group by researchers from safety agency Trend Micro famous that the group’s technical sophistication was combined.
(*2*) the put up acknowledged.
The timeline of the hack, based mostly on the social media posts, means that the breach started roughly eight days in the past, with the hack of a Confluence server Trigona members used to collaborate. In an interview with the Record, the group mentioned it deliberate to show over information it seized to legislation enforcement authorities.
A takedown 2 years in the making
The second ransomware gang takedown this week occurred to Ragnar Locker, a gaggle that has hacked quite a few organizations worldwide. On Friday, Europol mentioned:
In an motion carried out between 16 and 20 October, searches had been carried out in Czechia, Spain and Latvia. The “key target” of this malicious ransomware pressure was arrested in Paris, France, on 16 October, and his residence in Czechia was searched. Five suspects had been interviewed in Spain and Latvia in the following days. At the finish of the motion week, the major perpetrator, suspected of being a developer of the Ragnar group, has been introduced in entrance of the inspecting magistrates of the Paris Judicial Court.
The ransomware’s infrastructure was additionally seized in the Netherlands, Germany and Sweden and the related information leak web site on Tor was taken down in Sweden.
Ragnar Locker emerged in 2019 and rapidly grew to become recognized for its success in hacking organizations in numerous sectors, together with well being care, authorities, expertise, finance, training, and media. It’s what’s often called a RAAS (ransomware as a service), wherein core members develop the encryption software program, run a central server, after which work with associates. The associates then hack victims, and earnings are divided between the two teams. More about the group is accessible right here and right here.
Friday’s Europol put up mentioned Ragnar Locker members warned victims to not contact authorities as a result of they might solely “muck things up.”
In reality, Europol members, together with the FBI and Ukrainian authorities, had been investigating the group since 2021 and steadily made progress, culminating on this week’s arrest and takedown.
“Little did they know that law enforcement was closing in on them,” Europol mentioned.