The 32-year-old head of a threat group alleged to be responsible for ransomware attacks against corporations in 71 countries was arrested last week as part of a four-year investigation by European and U.S. law enforcement agencies.

Arrested in Ukraine along with the unnamed ringleader were four other members of the group, which is accused of using such ransomware strains as Hive, LockerGoga, MegaCortex, and Dharma in attacks that netted the gang hundreds of millions of dollars, Europol said this week.

“The suspects had different roles in this criminal organization,” Europol, the EU’s law enforcement agency, wrote in a statement. “Some of the them are thought to be involved in compromising the IT networks of their targets, while others are suspected of being in charge of laundering cryptocurrency payments made by victims to decrypt their files.”

The arrests were the latest step in an investigation that kicked off in 2019 and in 2021 led to the arrests of 12 people connected to the group for attacks against critical infrastructure. Europol at the time said the operation had targeted more than 1,800 victims in 71 countries.

It also comes as operations involving multiple law enforcement agencies worldwide have taken shots at high-profile ransomware operations. Last month, EU and U.S. agencies announced an operation against the RagnarLocker group, arresting a malware developer, seizing some of its infrastructure, and shutting down leak sites on the Tor network.

International authorities in January took down the infrastructure of the Russia-linked Hive ransomware group in January and in August ran a similar operation against QakBot malware gang, though reports surfaced two months later that the bad actors were still able to launch phishing campaigns that distributed the Ransom Knight ransomware and Remcos remote access trojan (RAT).

Building on Prior Arrests

According to Europol, the 2021 operation that led to the arrests of the 12 group members in Ukraine included the seizure of devices that technicians analyzed, with the forensic work leading to the identifications of those arrested last week in Kyiv.

The bad actors responsible for breaking into the networks of targeted companies used brute-force techniques, SQL injections, and phishing emails with malicious attachments to gain initial access and steal usernames and passwords.

“Once inside the networks, the attackers remained undetected and gained additional access using tools including TrickBot malware, Cobalt Strike and PowerShell Empire, in order to compromise as many systems as possible before triggering ransomware attacks,” the agency wrote.

In all, the hackers encrypted more than 250 servers used by the targeted large organizations.

According to the agency, the forensic analysis run from the investigation also has enabled Swiss authorities, along with No More Ransom and cybersecurity firm Bitdefender, to develop decryption tools for LockerGoga and MegaCortex ransomware variants. No More Ransom offers more than 100 free decryption tools to enable organizations hit by ransomware to get access to their captured files without having to pay a ransom.

Fighting Cyberthreats Amid War with Russia

Europol noted that the investigation that led to the arrests is being run at a critical time for Ukraine as it continues to fight against Russia’s illegal invasion of its smaller neighbor in February 2022. A key part of Russia’s offensive has been the use of cyberattacks against Ukraine organizations, critical infrastructure, and supports in the runup to the invasion and the many months since.

Europol did not say whether the people arrested last week were part of a ransomware group associated with Russia, which along with the likes of China, North Korea, and Iran is among the stop state sponsors of cyberattacks.

Ransomware continues to be a significant problem for governments and organizations around the world. According to a report last month by cyber underwriter Corvus Insurance, the frequency of ransomware attacks in the third quarter jumped 11% over the previous quarter and 95% year-over-year.

Countries are continuing to work together to push back at the cyberthreat. In the most recent operation, participating countries included not only Ukraine but also Norway, France, Germany, Switzerland, and the Netherlands. Europol wrote that the international cooperation in the investigation since 2019 “has remained steadfast and uninterrupted, persisting even amid the challenges posed by the ongoing war in Ukraine.”

In addition, the International Counter Ransomware Initiative launched in 2021 with 30 members and the EU and now includes 50 members, according to the Biden Administration, which hosted the organization in late October.