From the shadows: The pursuit of ransomware attackers

  • Ransomware assailants cloak their identities behind encryption layers, VPNs, and Tor networks, complicating identification efforts.
  • Variations in legal frameworks, diplomatic protocols, and extradition procedures across countries impede seamless collaboration between law enforcement agencies.
  • Ransomware attackers employ sophisticated tactics, including zero-day exploits and polymorphic malware, to evade detection.

Ransomware attacks have become a pervasive threat in today’s digital landscape, targeting individuals, businesses, and government entities with devastating consequences. Despite efforts by law enforcement agencies and cybersecurity experts to combat these cybercrimes, capturing ransomware attackers remains a formidable challenge.

What is Ransomware?

Ransomware, a form of malware, is designed to pilfer and encrypt files, sensitive data, or personally identifiable information (PII), rendering them inaccessible to victims unless a ransom fee is paid. Exploiting extortion tactics, ransomware assailants commonly target individuals or organisations with lax security measures or unpatched vulnerabilities, injecting malicious software into their computers or mobile devices to execute the ransomware payload.

Recovering encrypted files without a decryption key is exceedingly difficult, posing severe consequences for businesses reliant on encrypted data for daily operations. Failure to meet ransom demands within a specified timeframe can result in permanent file loss or public exposure.

Presently, many cybercriminals demand cryptocurrency like Bitcoin for ransom payments, leveraging its decentralised nature to conceal financial transactions. Despite the challenges of tracking ransom payments on the cryptocurrency blockchain, it remains feasible.

Also read: 5 major types of ransomware attacks

Why is it so difficult to catch ransomware attackers?

Ransomware attackers often operate anonymously, concealing their identities behind layers of encryption and anonymising technologies such as virtual private networks (VPNs) and Tor networks. The use of cryptocurrency for ransom payments adds another layer of anonymity, making it challenging to trace financial transactions and identify perpetrators.

Ransomware attacks frequently originate from foreign jurisdictions, complicating the investigative process due to international jurisdictional challenges. Legal barriers, diplomatic protocols, and differences in legal frameworks across countries impede the extradition of suspects and coordination between law enforcement agencies.

Ransomware attackers employ sophisticated tactics to evade detection, including zero-day exploits, polymorphic malware, and social engineering techniques. Advanced encryption methods make it difficult for cybersecurity experts to decrypt files or identify vulnerabilities in the malware code, prolonging the investigation process.

Also read: Must-know consequences of ransomware attacks

Do ransomware attackers get caught?

Europol, along with international law enforcement agencies, has disrupted a cybercriminal network responsible for numerous ransomware attacks since 2019, targeting over 1,800 victims across 71 countries. Following a two-year investigation, in 2021, raids in Ukraine and Switzerland targeted 12 individuals associated with the attacks. The criminals, known for targeting large corporations, utilised ransomware strains like LockerGoga, MegaCortex, and Dharma, as well as malware such as TrickBot and post-exploitation tools to evade detection and exploit vulnerabilities in IT networks. Europol seised $52,000 in cash and five luxury vehicles from the group.

In late 2021, the United States Department of Justice took action against two foreign nationals involved in deploying Sodinokibi/REvil ransomware, charging them with conducting attacks on businesses and government entities. Yaroslav Vasinskyi, a 22-year-old Ukrainian national, was indicted for conducting ransomware attacks, including the July 2021 Kaseya attack.

Additionally, $6.1 million in funds linked to ransom payments received by Yevgeniy Polyanin, a 28-year-old Russian national, were seised. Both defendants face charges of conspiracy to commit fraud, damage to protected computers, and money laundering. Vasinskyi was arrested in Poland pending extradition to the United States, while Polyanin remains abroad.

And in May 2024, Vasinskyi was sentenced to more than 13 years in prison in Texas.

Also read: 5 biggest ransomware attacks in history

In February 2024, a coordinated global effort by law enforcement agencies has led to the disruption of the notorious ransomware group LockBit, with the arrest of two individuals and the seisure of 200 cryptocurrency accounts. Spearheaded by Britain’s National Crime Agency (NCA), the operation targeted LockBit, renowned for its provision of ransomware services to affiliates involved in infecting victim networks.

Police in Poland and Ukraine made additional arrests as part of the operation. The takedown, dubbed “Operation Cronos,” involved a coalition of 10 countries and resulted in the seisure of control of Lockbit’s infrastructure and release of internal data about the group itself. The unsealed indictment charges Artur Sungatov and Ivan Kondratyev with using Lockbit ransomware to target victims in various industries across multiple countries.


Lydia Luo

Lydia Luo, an intern reporter at BTW media dedicated in IT infrastructure. She graduated from Shanghai University of International Business and Economics. Send tips to

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *