Better late than never. One year after an international crackdown against 13 LockerGoga and Megacortex hackers arrested in Switzerland in Ukraine, the Zurich prosecutor’s office and the cantonal police of this city have just announced that they have recovered numerous private keys from these two ransomware.
Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement: https://t.co/nkeXV9xv88
—BitdefenderLabs (@BitdefenderLabs) September 16, 2022
As the Swiss justice explains, after the arrest of a suspect in Switzerland, a Ukrainian prosecuted for extortion, money laundering and computer hacking, the cyber-investigators of the cantonal police of Zurich were indeed able to snoop in the terminals digits seized on this occasion and unearth private keys.
Decryptor published by Bitdefender
In the aftermath, cybersecurity firm Bitdefender has released a new LockerGoga decryption tool. Admittedly, this decryptor is of relative interest, three years after the first attacks of this ransomware with criminal activities stopped in October 2021.
But more generally, this outcome shows that international legal action can pay off against ransomware gangs. This legal case, which also mobilized the police of the United States, Norway, the Netherlands and Ukraine, owes a lot to the work of French investigators. The latter had indeed found the trace of the suspect arrested in Switzerland.
Entrusted by the Paris public prosecutor’s office to the Central office for the fight against crime linked to information and communication technologies (OCLCTIC) and to the DGSI, the French judicial investigation had been launched following the cyberattack which referred to Altran. The engineering and innovation consulting giant, since acquired by the digital services company Capgemini, had been the victim of an intrusion in January 2019.
Entering a command and control server
According to the story told by The Parisian when arresting the suspects, French investigators had managed to identify a command and control server located in France. This then enabled them to map the criminal infrastructure, based in particular on the use of the modular Trojan horse Trickbot, also used by the Conti gang, and Cobalt Strike intrusion testing tools.
Investigators had finally followed the trail of ransom payments to trace the trail of malicious hackers. In a great effort of transparency, Altran had publicly detailed its feedback from this crisis. But the company did not say whether it had paid a ransom. On this subject, The Express had mentioned a payment of 300 bitcoins (then around one million euros) which, however, would not have made it possible to recover a decryption key.
The 13 people arrested in October 2021 are accused of having launched 1,800 cyberattacks against individuals or organizations from 71 countries, for damages of several hundred million euros, according to Swiss justice. If the suspect arrested in Switzerland, also targeted by a French judicial investigation opened in February 2022, is in pre-trial detention, the situation of the twelve other people arrested in Ukraine is however unknown.