From the warm-and-fuzzy information comes this feel-good Friday publish, chronicling this week’s takedown of two hated ransomware teams. One vanished on Tuesday, allegedly after being hacked by a bunch claiming allegiance to Ukraine. The opposite was taken out a day later because of a global police dragnet.
The primary group, calling itself Trigona, noticed the content material on its darkish internet sufferer naming-and-shaming website pulled down and changed with a banner proclaiming: “Trigona is gone! The servers of Trigona ransomware gang has been infiltrated and worn out.” An outfit calling itself Ukrainian Cyber Alliance took credit score and included the tagline: “disrupting Russian felony enterprises (each private and non-private) since 2014.”
Poor operational safety
A social media post from a person claiming to be a Ukrainian Cyber Alliance press secretary stated his group focused ransomware teams partly as a result of they think about themselves out of attain of Western legislation enforcement.
“We simply discovered one gang like that and did to them as they do to the remaining,” the press secretary wrote. “Downloaded their servers (ten of them), deleted every part and defaced for the final time. TOR did not assist them and even realizing that they had a gap in it. Their complete infrastructure is totally blown away. Such a hunt ahead.’”
A separate social media post dumped what the press secretary stated was an administrative panel key and stated the group worn out Trigona’s “touchdown, weblog, leaks website, inside server (rocketchat, atlassian), wallets and dev servers.” The particular person additionally claimed that the Ukrainian Cyber Alliance hacked a Confluence server Trigona used.
By Friday, the Trigona website was unavailable, as evidenced by the message “Onionsite not discovered.”
Trigona first surfaced in 2022 with shut ties to ransomware teams often known as CryLock and BlackCat and looser ties to ALPHV. It primarily hacked corporations within the US and India, adopted by Israel, Turkey, Brazil, and Italy. It was recognized for compromising MYSQL servers, typically by brute forcing passwords. A June profile of the group by researchers from safety agency Development Micro famous that the group’s technical sophistication was blended.
“The Trigona ransomware group has poor operational safety with regards to the implementation of Tor websites—though their goal of focusing on poorly managed SQL servers just isn’t one thing we often see with much less technically proficient risk actors,” the publish said.
The timeline of the hack, primarily based on the social media posts, means that the breach started roughly eight days in the past, with the hack of a Confluence server Trigona members used to collaborate. In an interview with the Report, the group stated it deliberate to show over information it seized to legislation enforcement authorities.
A takedown 2 years within the making
The second ransomware gang takedown this week occurred to Ragnar Locker, a bunch that has hacked quite a few organizations worldwide. On Friday, Europol said:
In an motion carried out between 16 and 20 October, searches have been performed in Czechia, Spain and Latvia. The “key goal” of this malicious ransomware pressure was arrested in Paris, France, on 16 October, and his house in Czechia was searched. 5 suspects have been interviewed in Spain and Latvia within the following days. On the finish of the motion week, the principle perpetrator, suspected of being a developer of the Ragnar group, has been introduced in entrance of the analyzing magistrates of the Paris Judicial Courtroom.
The ransomware’s infrastructure was additionally seized within the Netherlands, Germany and Sweden and the related information leak web site on Tor was taken down in Sweden.
Ragnar Locker emerged in 2019 and shortly turned recognized for its success in hacking organizations in numerous sectors, together with well being care, authorities, know-how, finance, training, and media. It’s what’s often known as a RAAS (ransomware as a service), during which core members develop the encryption software program, run a central server, after which work with associates. The associates then hack victims, and earnings are divided between the 2 teams. Extra concerning the group is on the market here and here.
Friday’s Europol publish stated Ragnar Locker members warned victims to not contact authorities as a result of they might solely “muck issues up.”
The truth is, Europol members, together with the FBI and Ukrainian authorities, had been investigating the group since 2021 and steadily made progress, culminating on this week’s arrest and takedown.
“Little did they know that legislation enforcement was closing in on them,” Europol stated.