They would have been better off not hacking Altran. A French police investigation, initiated after a cyberattack targeting the engineering and innovation consulting giant in January 2019, has just concluded after four years of investigation into an international raid in Ukraine against a ransomware gang.
Five people, including a 32-year-old man suspected of being the right arm of the cybercriminal organization, were arrested in Volodymyr Zelensky’s country by the local police. Around twenty investigators from Germany, the United States, France and Norway were also present as reinforcements. An “unprecedented effort” in the fight against ransomware attacks, welcomed the European police agency Europol.
Emblematic case
“This is an emblematic case which shows that there is no impunity”, also reports to ZDNET.fr Christophe Durand, the head of the cyber investigations unit of the new anti-cybercrime office. “We are now looking to accelerate the pace of our investigations,” he adds.
These men are accused of participating in attacks with the LockerGoga, MegaCortex, Hive and Dharma malware against more than 250 servers in 71 countries. Which, the police calculate, would have caused damage amounting to several hundred million euros.
In total, 18 people aged between their twenties and thirties were arrested in this case. These arrests follow a first wave of arrests, carried out in October 2021. Thirteen people were then arrested in Switzerland and Ukraine thanks to information obtained by the French police.
French track
Judicial authorities now believe they have apprehended a good part of the gang, from the developer to the sellers of initial access, including the launderers and hackers responsible for deploying the malicious programs. However, an arrest would be missing to complete the investigation, that of the leader of the gang, identified but with uncertain location, according to the French police – his Ukrainian counterpart declared that the 32-year-old man arrested was the leader of the gang .
The international investigation was boosted by the work of police officers from the Central Office for the Fight against Crime Related to Information and Communication Technologies (OCLCTIC). Responsible for investigating the Altran hack, they had found traces of a man living in Switzerland, suspected of being the developer of the gang.
If France has requested his extradition, Swiss justice is also investigating other hackings he may be accused of. This arrest, however, allowed the publication of a decryptor for the LockerGoga ransomware last year, as ZDNET.fr explained. A tool of relative interest, several years after these ransomware attacks, even if it proves that it is possible to hope for a happy ending in terms of ransomware.
Server in France
French police first managed to identify a command and control server located in France, rented to third parties by a Ukrainian national. Before following the trail of ransom payments to trace malicious hackers. According to L’Express, Altran, since bought by the digital services company Capgemini, had paid 300 bitcoins (then around one million euros) to try to limit the damage, without however succeeding in obtaining a decryption key from the cybercriminals.
French police officers had also succeeded in mapping the criminal infrastructure, based in particular on the use of the Trickbot Trojan and Cobalt Strike penetration testing tools.
Cybercriminals are also suspected of using the Empire program, an offensive security toolkit based on PowerShell. Their hacks relied, Europol said, on a mix of brute force attacks, SQL injections and phishing messages intended to steal credentials.
(Article updated on November 29 at 9:50 a.m. with the addition of a link to the Ukrainian police press release).