Fraud Management & Cybercrime , Ransomware
Arrests and Indictments in LockBit Crackdown
US, UK and European Authorities Seize Decryption Keys and Will Contact VictimsAn international law enforcement operation that infiltrated ransomware-as-a-service operation LockBit has resulted in arrests, indictments and the seizure encryption keys that can be used to help victims recover their data.
See Also: 57 Tips to Secure Your Organization
Police from the United Kingdom, the United States and Europe in an action dubbed Operation Cronos seized more than 35 LockBit servers and replaced the group's dark web leak page with a seizure notice and links touting the takedown (see: LockBit Infrastructure Seized by US, UK Police).
"Law enforcement will be coordinating activity to identify and deal with LockBit's affiliates," the newly seized LockBit leak sites states.
Describing the group as "the world's most harmful cybercrime group," the U.K. National Crime Agency said law enforcement had seized the back-end administration panel that LockBit used to manage ransomware attacks. The agency obtained more than 1,000 decryption keys and will contact British victims in the coming days. The FBI and Europol will contact other victims, the agency said. FBI Director Christopher Wray said Tuesday the agencies will contact more than 1,600 known victims.
LockBit emerged in 2019 and was one of the largest ransomware-as-a-service operations. It depended on other hackers - affiliates - to do the actual hacking and offered them up to 75% of any ransom made with its encryptor. The operation has racked thousands of known victims. It now joins a string of Russian-speaking ransomware groups whose servers have been seized by law enforcement. Others include Alphv - also known as BlackCat - and Hive.
"FBI pwned me," LockBitSupp, the organization's spokesperson apparently told malware researcher vx-underground on Monday.
Authorities in Ukraine and Poland each arrested a LockBit affiliate at the behest of French authorities. LockBit took responsibility in January 2022 for hacking the French Ministry of Justice, stealing approximately 8,000 files and maliciously encrypting government computers.
The U.S. Department of Justice unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondraty, aka Bassterlord, for their roles in LockBit hacks. The Department of the Treasury sanctioned the two individuals. Moscow typically does not extradite its nationals to foreign states. The Department of State will pay up to $10 million for information leading to the location of LockBit leadership and up to $5 million for information leading to the arrest of affiliates.
Operation Cronos resulted in authorities confiscating LockBit's primary exfiltration tool, called StealBit, which affiliates used to steal victim data. Eurojust, which coordinated the action, said the operation began in April 2022 at the request of French authorities. It resulted in the seizure of LockBit servers located in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.
On Monday, vx-underground posted on social media that affiliates who logged onto the operation's administrative panel had seen a note warning that law enforcement has seized "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more."
NCA General Director Graeme Bigger on Tuesday confirmed that the agency had seized source code and a vast amount of intelligence from LockBit. "As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity," he said.
"We know who they are and how they operate. We are tenacious, and we will not stop in our efforts to target this group and anyone associated with them."
High profile LockBit victims include the New York financial services subsidiary of the Industrial and Commercial Bank of China, which suffered a November ransomware incident that partially disrupted the market in U.S. Treasury investments. In January 2023, LockBit attacked the Royal Mail in the United Kingdom, interrupting international delivery. Boeing and a Chicago children's hospital are also recent victims.
LockBit gained a reputation for being a "bottom feeder of the dark web," driven by a perception among other ransomware group administrators that the head of LockBit was "always being drunk and talking to journalists," Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, told Information Security Media Group recently (see: Broken LockBit: Ransomware Group Takedown Will Have Impact).
Once known for sophisticated and fast-acting crypto-malware, LockBit operators recently gained a reputation for relying on a rebranded encryptor and for having organizational problems.