A few days later The notorious LockBit ransomware group, based in Russia, was taken offline by a major law enforcement operation over the years, but has returned to the dark web with a new leak site and numerous new victims. I'm here.
In a verbose and rambling statement released Saturday, the remaining Rockbit administrators blamed last week's turmoil on their own. A global law enforcement effort reveals how ransomware gangs exploit vulnerabilities in public websites, including the dark web leak site used by ransomware gangs to publish data stolen from victims. An operation was launched to hijack the gang's infrastructure.
The operation, dubbed “Operation Kronos” by federal authorities, took down 34 servers in Europe, the United Kingdom and the United States, seized more than 200 cryptocurrency wallets, and targeted alleged Rockbit members in Poland and Ukraine2. A person was arrested.
Just five days later, Rockbit announced that it was back in business, claiming it was unaffected by the government shutdown and restored from backups. In a statement, LockBit's administrators threatened to retaliate by targeting government departments.
A spokesperson for the National Crime Agency, which led Operation Kronos, told TechCrunch on Monday following Rockbit's resurgence that the takedown operation “successfully infiltrated and took control of Rockbit's systems and put an end to the entire criminal operation.” I was able to infringe on it.”
“It is our assessment that their systems have now been destroyed by the NCA and that LockBit remains fully compromised,” the NCA said.
For now, the two sides are at odds, as law enforcement claims a landslide victory, while Rockbit's apparent ringleader is on the run, threatening retaliation and targeting new victims. LockBit's demise may be overstated, as it has claimed more than a dozen new victims since its brazen reboot.
As the cat-and-mouse game between federal authorities and criminals continues, so do stories of fights and bold claims from both sides.
The NCA promised a big reveal about the long-time leader of the gang known as 'LockBitSupp', but the agency on Friday revealed little about the administrator in a post on LockBit's own compromised dark web leak site. Didn't make it clear.
“We know who he is. We know where he lives. We know how much he's worth. LockBitSupp is a law enforcement agency. :),” the vaguely worded NCA message said.
U.S. law enforcement agencies are also offering millions of dollars in rewards for details “leading to the identification or whereabouts of individuals in key leadership positions” in the Rockbit gang, which authorities say is Suggests that you do not have the information or cannot yet prove it.
LockBit is unlikely to go away, as the apparent administrator, LockBitSupp, is still active and the last remaining piece of the LockBit puzzle. Ransomware gangs are known for quickly reorganizing and rebranding, even after claiming to have been completely wiped out by law enforcement chaos.
Consider the example of another ransomware gang based in Russia. ALPHV, also known as BlackCat, suffered a similar blow last year when law enforcement seized its dark web leak site and released decryption keys to allow victims to regain access to their stolen files. Ta. Just days later, ALPHV announced it had “unseized” the leaked site, claiming the FBI only had decryption keys for around 400 companies, leaving more than 3,000 victims with data still encrypted. left behind.
As of this writing, the ALPHV leak site remains operational and continues to add new victims almost daily.
Other ransomware gangs, such as Hive and Conti, have faced similar law enforcement actions in recent years, but they are said to have simply rebranded and reunited under different names. Conti members are said to be operating under the new Black Basta, BlackByte and Karakurt groups, while former Hive members have rebranded as a new ransomware operation named Hunters International.
While LockBit's breakup has been hailed by many as one of the most significant in recent years, it's unlikely that much will change, and there are already signs of that happening.
In a lengthy post, LockBit claimed that law enforcement only had access to a small number of decryption tools, which prevented them from arresting the wrong people and removing all the websites under their control. Rockbit also vowed to upgrade the security of its infrastructure, release manual decryption tools, and continue its affiliate program in light of the operation.
“The FBI with its assistants cannot scare me or stop me. The stability of the service is guaranteed by years of continuous efforts,” Lockvitt's rant continued. “They want to scare me because they can't find me and eliminate me, and they can't stop me.”
The NCA told TechCrunch that the agency “recognizes that LockBit is likely to attempt to reorganize and rebuild its systems,” but also acknowledged that the agency's activities continue to disrupt the group. .
NCA spokesman Richard Crowe said: “We have collected vast amounts of information about them and those associated with them, and efforts to target and disrupt them continue.”
The admission that law enforcement is continuing to work to destroy gangs tells us everything we need to know. That said, LockBit isn't dead yet, and probably never was.