Joint global ransomware operation sees arrests and criminal network dismantled

8 November 2021
Police and private industry partnership lands ransomware criminals behind bars

Singapore – A four-year operation across five continents has disrupted a ransomware cybercrime gang and seen the arrest of seven suspects believed to be behind global malware crime operations.

Codenamed ‘Quicksand’ (GoldDust) and carried out by 19 law enforcement agencies in 17 countries, the transcontinental operation saw officers collect and examine intelligence to establish a global threat picture about attacks by ransomware families - particularly GandCrab and Revil-Sodinokibi -  and the  suspects behind them.

The organized crime group that used these malwares is known for breaking into business and private networks using a range of infiltration techniques, and then deploying ransomware against their victims.  The ransomware then encrypts files which are then used to blackmail companies and people into paying huge ransoms.  

The suspects arrested during Operation Quicksand are suspected of perpetrating tens of thousands of ransomware infections and demanding more than EUR 200 million in ransom  

Tangible results: multiple arrests worldwide

Intelligence exchanged during the operation enabled

  • Korean law enforcement to arrest three suspects in February, April and October;
  • Kuwaiti authorities to arrest a man thought to have carried out ransomware attacks using the GandGrab ransomware;
  • Romanian authorities to arrest two individuals suspected of ransomware cyber-attacks and believed to be responsible for 5,000 infections as well as half a million euros profit in ransom payments;
  • The arrest of a man believed to be responsible for the Kaseya ransomware attack, thought to have been carried out last July by the REvil gang with more than 1,500 people and 1,000 businesses affected worldwide.

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action which INTERPOL can uniquely facilitate as a neutral and trusted global partner,” said INTERPOL Secretary General Jürgen Stock.

“Policing needs to harness the insights of the cyber security industry to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of ransomware cybercrime,” added the Secretary General.

A powerful global coalition

A joint INTERPOL-Europol operation, Quicksand was coordinated from INTERPOL’s Cyber Fusion Centre in Singapore where stakeholders shared live intelligence in an interactive and secure environment via INTERPOL’s global network and capabilities.

Through INTERPOL’s Gateway project, INTERPOL’s private partners Trend Micro, CDI, Kaspersky Lab and Palo Alto Networks also contributed to investigations by sharing information and technical expertise.  
Gateway boosts law enforcement and private industry partnerships to generate threat data from multiple sources and enable police authorities to prevent attacks.

Bitdefender supported operations by releasing tailor-made decryption tools to unlock ransomware and enable victims to recover files.  These innovative tools enabled more than 1,400 companies to decrypt their networks, saving them almost EUR 475 million in potential losses.

KPN, McAfee, S2W helped investigations by providing cyber and malware technical expertise to INTERPOL and its member countries.

Operation Quicksand continues to supply evidence that is feeding into further cybercrime investigations and enabling the international police community to disrupt numerous channels used by cybercriminals to launder cryptocurrency and commit ransomware crime.

With the combined global financial impact in ransom payments from ransomware families believed to be within the billions of dollars and thousands of victims worldwide, INTERPOL’s private partners and member countries work together to provide support to victims hit by the ransomware.

Research from Chainalysis found that criminals made USD 350 million in 2020 from ransomware payments, representing an increase of 311 per cent in one year. Over the same period, the average ransom payment increased by 171 per cent, according to Palo Alto Networks.

Participating countries included Australia, Belgium, Canada, France, Germany, The Netherlands, Luxembourg, Norway, Philippines, Poland, Romania, South Korea, Sweden, Switzerland, Kuwait, the United Kingdom and The United States.

See also