A coalition of international law enforcement agencies, including the US Federal Bureau of Investigation and the UK's National Crime Agency, disrupted the operations of the notorious ransomware group LockBit.
LockBit's dark web leak site, where the group exposes victims and threatens to leak stolen data unless ransom demands are paid, was replaced with a law enforcement notice on Monday.
Since first emerging as a ransomware operation in late 2019, LockBit has become one of the world's most prolific cybercriminal organizations, targeting victims around the world and extorting millions of dollars in extorted ransoms. I'm getting paid.
Hattie Hafenrichter, a spokesperson for the UK's National Crime Agency, confirmed to TechCrunch that “LockBit services have been suspended as a result of international law enforcement action.” A message on the downed leaked site confirmed that it was “currently under the control of the UK National Crime Agency and is working closely with the FBI and the international law enforcement force Operation Chronos.”
As of this writing, the site contains a series of information exposing LockBit's capabilities and operations, including backend leaks and details of LockBit's alleged mastermind known as LockBitSupp.
TechCrunch (screenshot)
Operation Kronos is a special task force led by the NCA and coordinated in Europe by law enforcement agencies Europol and Eurojust. Other international law enforcement organizations also participated in the ransomware removal operation: Australia, Canada, France, Finland, Germany, the Netherlands, Japan, Sweden, Switzerland, and the United States.
In a statement on Tuesday, Europol acknowledged that the months-long operation “compromised Rockbit's key platforms and other critical infrastructure, enabling their criminal activities.” This included the outage of 34 servers in Europe, the UK, and the US, and the seizure of over 200 cryptocurrency wallets.
It is not yet known how much cryptocurrency was stored in these wallets or how much was seized by authorities.
Separately, the US Department of Justice has dropped charges against two Russians, Artur Sungatov and Ivan Gennadyevich Kondratyev, for their alleged role in launching the Rockbit cyberattack.
The Department of Justice previously indicted three other people as members of the LockBit ransomware. Mikhail Vasiliev, a dual citizen of Russia and Canada, is currently detained in Canada awaiting extradition to the United States. Ruslan Magomedovich Astamirov, a Russian national, is being held in the United States awaiting trial. The third suspected member, Mikhail Pavlovich Matveev, also known as Vazawaka, is believed to be living in the Russian enclave of Kaliningrad and remains subject to a $10 million U.S. government reward for information leading to his arrest. It has become.
Two people believed to be associated with LockBit were also arrested in Poland and Ukraine at the request of French judicial authorities.
Prior to Monday's removal, Rockbit claimed on a leaked dark web site to be “based in the Netherlands, completely apolitical and only interested in money.”
Law enforcement announced that it had obtained decryption keys from Rockbit's seized infrastructure as part of Operation Kronos to help victims of the ransomware gang regain access to their data.
Allan Liska, ransomware expert and threat intelligence analyst at Recorded Future, told TechCrunch that the move “completely marks the end of Operation LockBit in its current form.”
“LockBitSupp, the primary spokesperson for Operation LockBit, has not been arrested, but his operation has been crippled and its infrastructure completely exposed.Given such past takedowns, this It will have a serious impact on his reputation and his ability to attract new affiliates in the future,” Liska said.
According to the Department of Justice, LockBit has been used in approximately 2,000 ransomware attacks against victim systems in the United States and around the world, resulting in more than $120 million in ransom payments.
Matt Hull, head of threat intelligence at UK-based cybersecurity firm NCC Group, told TechCrunch that the company has recorded more than 1,000 LockBit victims in 2023 alone, which is “more than the number of victims we identified throughout the year.” This accounts for 22% of all ransomware victims.
LockBit and its affiliates have claimed responsibility for hacking some of the world's largest organizations. Last year, the group claimed responsibility for attacks on aerospace giant Boeing, semiconductor manufacturer TSMC, and British postal giant Royal Mail. In recent months, Rockbit has targeted India's state-run Aerospace Research Institute and one of India's largest financial giants, as well as a ransomware attack on Fulton County, Georgia that disrupted the county's main services for weeks. He claimed responsibility for the cyber attack.
Monday's takedown is the latest in a series of law enforcement actions targeting ransomware gangs. In December, a group of international law enforcement agencies announced that they had seized the dark web leak site of a notorious ransomware group known as ALPHV (BlackCat). The site has had a number of high-profile victims, including news-sharing site Reddit and a healthcare company. Norton and Barts Health NHS Trust in London.
This is a developing story.