The Top 5 Ransomware Takedowns

Learn about the recent achievements in the fight against ransomware as law enforcement agencies and cybersecurity organizations successfully disrupt operations, seize infrastructure, and safeguard victims from further attacks.

Trigona ransomware, a relatively new threat actor that emerged in late 2022, faced significant setbacks due to the actions of the Ukrainian Cyber Alliance (UCA), a group of pro-Ukraine hacktivists. The UCA successfully took down Trigona’s servers, including the website’s administrative panel, landing page, blog, internal server, cryptocurrency wallets, and developer servers.

The UCA’s actions were in response to Trigona’s harmful activities, as they sought to hold the ransomware gang accountable for the harm they caused to their victims. The UCA also targeted Trigona Leaks, a dark web “name-and-shame” extortion blog allegedly operated by the Trigona ransomware group.

Trigona primarily targeted tech, healthcare, and banking companies in the U.S., India, Israel, Turkey, Brazil, and Italy. The takedown operation by the UCA not only disrupted Trigona’s operations but also potentially provided valuable data for future research and analysis.

The Hive ransomware group, responsible for targeting over 1,500 victims in more than 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, became the target of a successful takedown operation by the U.S. Department of Justice and international law enforcement agencies.

The FBI penetrated Hive’s computer networks, gaining access to their decryption keys, which were then offered to victims worldwide, preventing them from having to pay the $130 million in ransom demanded by Hive. The FBI provided over 300 decryption keys to Hive victims who were under attack and over 1,000 additional keys to previous victims.

In coordination with German and Dutch law enforcement, the U.S. Department of Justice seized control of the servers and websites used by Hive to communicate with its members. This disruption significantly hampered Hive’s ability to attack and extort victims.

The takedown operation not only prevented victims from paying millions of dollars in ransom but also disrupted Hive’s operations and protected critical infrastructure organizations from further attacks. The Department of Justice remains committed to supporting victims of cybercrime and providing assistance to those targeted by Hive.

Qakbot, also known as Qbot, Quackbot, Pinkslipbot, and TA570, is a notorious malware that has evolved from a banking trojan into a multi-purpose botnet and malware variant. In a multinational operation involving several countries, including the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia, the botnet and malware known as Qakbot were disrupted, and its infrastructure was taken down.

As part of the takedown operation, more than $8.6 million in cryptocurrency, representing illicit profits obtained through Qakbot activities, was seized. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) executed a coordinated operation to disrupt Qakbot infrastructure worldwide, severing the connection between victim computers and Qakbot command and control servers.

CISA and FBI have provided recommendations for organizations to implement in order to reduce the likelihood of Qakbot-related activity and promote the identification of Qakbot-facilitated ransomware and malware infections. These recommendations aim to enhance network defenders’ detection, remediation, and prevention measures.

Conti ransomware, identified as a successor to the Ryuk ransomware group, has caused significant damage in a relatively short period. Multiple indictments have been unsealed in different federal jurisdictions, charging several Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes.

Trickbot malware, acting as an initial intrusion vector, was used to support various ransomware variants, including Conti. Conti ransomware was responsible for attacking more than 900 victims worldwide, including critical infrastructure targets in the United States and other countries.

The takedown operation demonstrates the commitment of law enforcement agencies to bring cybercriminals to justice and protect critical infrastructure. The defendants face various charges, including conspiracy to violate the Computer Fraud and Abuse Act, wire fraud conspiracy, and conspiracy to launder the proceeds of the scheme.

The Ragnar Locker ransomware gang, one of the oldest and most notorious groups, was recently dismantled in a strategic operation led by international law enforcement agencies. A 35-year-old man believed to be the “main perpetrator” of the RagnarLocker operation was arrested in Paris.

Authorities conducted searches at the alleged developer’s home in the Czech Republic, and associates of the developer were interviewed in Spain and Latvia. Raids were also conducted in Ukraine, at the premises of one of the group members.

Law enforcement agencies seized RagnarLocker’s dark web portal, used for extorting victims by publishing stolen data. The gang’s infrastructure was also seized in the Netherlands, Germany, and Sweden, with nine servers being seized in total.

The takedown operation was a significant blow to RagnarLocker, which had been responsible for numerous high-profile attacks against critical infrastructure sectors since 2020, targeting victims in Europe and the United States.

Despite law enforcement scrutiny, RagnarLocker continued targeting victims, demonstrating the persistence and adaptability of ransomware groups. Ongoing efforts are crucial to ensuring the continued disruption of such groups and protecting businesses from their malicious activities.

Cyberthreats are growing more advanced, from sophisticated malware to insider attacks. BlackFog provides complete protection against these risks. Our Enterprise ADX solution uses behavioral analysis and data exfiltration to detect and prevent insider threats and ransomware across all endpoints.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.