The FIN6 group caused damage of several hundred million Swiss francs with ransomware attacks. Now the investigators have made a breakthrough.
Criminal cyber attacks on companies with so-called ransomware have increased in recent years.
After months of work, the Zurich investigators made a breakthrough: they were able to decrypt numerous so-called private keys on data carriers seized from a suspected cyber criminal.
The private keys are something like the jackpot for prosecutors. This gives companies damaged by cyber attacks the opportunity to restore their data encrypted by so-called ransomware, as the Zurich public prosecutor’s office and the Zurich cantonal police state in a joint statement.
Ransomware is malware that criminals use for blackmail. This type of cybercrime has increased significantly in recent years. The gangs penetrate their victims’ IT systems and encrypt the data so that the computers no longer work. Then they demand a ransom for the decryption. The cybercriminals often copy the data beforehand in order to additionally threaten the victims with publishing the stolen information.
The trail leads to Ukraine
The investigations by the Zurich prosecutors go back to an internationally coordinated strike against organized cybercrime in October last year. Ukraine, France, Norway, the Netherlands and the USA were involved in the police action.
There were 12 arrests: 11 of them took place in Ukraine, 1 in Switzerland. A video released by the Ukrainian authorities at the time shows members of a special unit storming an apartment and confiscating cash, vehicles, data carriers, mobile phones and technical equipment.
At the end of October last year, eleven arrests were made in Ukraine as part of a coordinated police operation in which Swiss investigators were also involved.
On October 26, 2021, a Tuesday morning, police vehicles also drove up to the apartment of a suspect in Binningen in the Basel area. The investigators arrested the man because of a request for legal assistance from France. Computers, USB sticks, mobile phones and cash in different currencies were also confiscated. However, prosecutors remain silent about the man’s nationality and age. He is said to have worked as a software developer for an international company, report the newspapers from CH-Media later.
The suspect is said to have been a member of a group of cybercriminals internationally prosecuted under the designation FIN6. The group is accused of numerous ransomware attacks with a total of up to 1800 victims in 71 countries. The perpetrators are said to have caused damage totaling several hundred million francs.
According to Europol, most of the arrested gang members are important people in the criminal organization. They had different roles within the well-organized gang: some were responsible for breaking into the computer networks, others carried out the actual extortion, and still others took care of laundering the ransom money stolen in bitcoin.
The criminal gang used various malware for their attacks, in particular an encryption program called “LockerGoga” from the beginning of 2019. The most prominent victims at the time were the French technology group Altran and the Norwegian aluminum manufacturer Norsk Hydro. These cases also triggered the extensive investigations coordinated by Europol.
After the arrest in Binningen, the public prosecutor’s office in Basel-Landschaft opened proceedings against the suspect for money laundering and data corruption – parallel to the proceedings in France. These allegations indicate that the accused was involved in the attacks and the encryption of the data himself. On the other hand, he may also have played a role in the transfer of ransoms, which are usually paid in cryptocurrencies.
In the meantime, the Zurich cyber investigators have taken over the case from Binningen – due to jurisdiction, as the Zurich public prosecutor said when asked.
Companies attacked should file criminal charges
The security of the private keys gives the companies affected by attacks hope. Because the authorities have now activated a tool on the “nomoreransom.org” website, which is intended to make the data encrypted with “LockerGoga” retrievable. A corresponding tool for “MegaCortex”, another piece of malware, will soon be available, according to the Zurich authorities. It is not known how many victims have already benefited from the decryption program. There is no information about this, according to Zurich.
The tool was created in cooperation with Europol, the company Bitdefender and the “No More Ransom” project. The “No More Ransom” initiative came about six years ago as a cooperation between Europol, the Dutch police and private IT companies. She wants to offer victims free decryption programs. The website now has tools for over 160 different ransomware variants.
The authorities are calling on victims who have been attacked by the two malware programs to file criminal charges in their respective home countries. They also strongly recommend raising security standards.