Europol Arrests Hackers Behind 2019 Norsk Hydro Ransomware Attack

International Law Enforcement Disrupts Major Ransomware Network

A significant network of organized cybercriminals responsible for numerous ransomware attacks has been dismantled through a collaborative effort led by Europol and its partner law enforcement agencies. Since 2019, over 1,800 victims across 71 countries have been impacted by these malicious activities.

Raids Conducted in Ukraine and Switzerland

This week saw targeted raids conducted in both Ukraine and Switzerland, focusing on 12 individuals identified as key players in the criminal enterprise. The EU’s police agency announced these actions on Friday, following a comprehensive two-year investigation. Details regarding arrests or formal charges are currently pending further clarification.

Targeting Large Corporations

The individuals in question are known for their deliberate targeting of large corporations, causing substantial disruption to business operations. Their methods effectively brought companies to a standstill, demanding significant ransom payments for restoration of access.

Connection to the Norsk Hydro Attack

Among the ransomware strains utilized by this group was LockerGoga, notably employed in the 2019 attack against Norwegian aluminum processor Norsk Hydro. This cyberattack resulted in a near-week-long production halt across the company’s global facilities, incurring losses exceeding $50 million.

Norway’s National Criminal Investigation Service (Kripos) has officially confirmed the link between the targeted individuals and the attack on Norsk Hydro.

Deployment of Multiple Malware Strains

Beyond LockerGoga, the hackers also deployed MegaCortex and Dharma ransomware. They further leveraged malware such as TrickBot, alongside post-exploitation tools like Cobalt Strike and PowerShell Empire. This allowed them to maintain stealth and expand their access within compromised networks.

Europol explained that the criminals would remain hidden within systems, sometimes for extended periods, actively searching for vulnerabilities before initiating ransomware deployment to monetize the infection.

Financial Seizures and High-Value Targets

The total financial gains realized by the criminals remain unclear. However, law enforcement officials have seized $52,000 in cash and five luxury vehicles as part of the operation.

These suspects are considered “high-value targets” due to their involvement in multiple, significant investigations across various jurisdictions. Each individual played a distinct role within these highly organized criminal organizations.

Ransom Payment Laundering

A number of the suspects are believed to have been responsible for laundering the ransom payments received. They allegedly utilized Bitcoin mixing services to obscure the funds before converting them into usable currency.

International Collaboration

The operation involved participation from law enforcement agencies representing Norway, France, the U.K., Switzerland, Germany, Ukraine, the Netherlands, and the U.S. Over 50 foreign investigators were deployed to Ukraine on October 26th to directly target the cybercriminals.

This coordinated effort demonstrates a strong commitment to combating cybercrime on an international scale.