The investigation began in April 2022 at Eurojust, following a request from the French authorities.
LOOK WHO'S TROLLING NOW —
After years of losing, it’s finally feds’ turn to troll ransomware group
Authorities who took down the ransomware group brag about their epic hack.
After years of being outmaneuvered by snarky ransomware criminals who tease and brag about each new victim they claim, international authorities finally got their chance to turn the tables, and they aren't squandering it.
The top-notch trolling came after authorities from the US, UK, and Europol took down most of the infrastructure belonging to LockBit, a ransomware syndicate that has extorted more than $120 million from thousands of victims around the world. On Tuesday, most of the sites LockBit uses to shame its victims for being hacked, pressure them into paying, and brag of their hacking prowess began displaying content announcing the takedown. The seized infrastructure also hosted decryptors victims could use to recover their data.
Police arrest LockBit ransomware members, release decryptor in global crackdown
- February 20, 2024
- 06:30 AM
- 2
Update February 20, 07:21 EST: Article updated with further details on the operation.
- arrested two operators of the LockBit ransomware gang in Poland and Ukraine,
- created a decryption tool to recover encrypted files for free, and
- seized over 200 crypto-wallets after hacking the cybercrime gang's servers in an international crackdown operation.
- Two of the indictments were unsealed by the U.S. Justice Department against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord), for their involvement in LockBit attacks.
- Previous charges against Lockbit ransomware actors include Mikhail Vasiliev (November 2022), Ruslan Magomedovich Astamirov (June 2023), and Mikhail Pavlovich Matveev aka Wazawaka (May 2023).
Sungatov and Kondratiev were also sanctioned today by the U.S. Department of Treasury's Office of Foreign Assets Control.
Operation Cronos
The global LockBit crackdown was coordinated by Operation Cronos, a task force headed by the U.K. National Crime Agency (NCA) and coordinated in Europe by Europol and Eurojust. The investigation began in April 2022 at Eurojust, following a request from the French authorities.
"The months-long operation has resulted in the compromise of LockBit's primary platform and other critical infrastructure that enabled their criminal enterprise," Europol said today.
"This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.
"This infrastructure is now under law enforcement control, and more than 14 000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement."
Europol has told BleepingComputer that those rogue accounts were used by LockBit members to host tools and software used in attacks and to store data stolen from companies.
- Using these decryption keys, the Japanese Police, the NCA, and the Federal Bureau of Investigation (FBI) developed a LockBit 3.0 Black Ransomware decryption tool with Europol's support.
- However, it may be possible for victims who paid ransom demands to recover some of their ransomware payments now, like the FBI previously did for Colonial Pipeline and various healthcare orgs.
LockBit infrastructure seized
As part of this joint action, the NCA has taken control of LockBit servers used to host data stolen from victims' networks in double extortion attacks and the gang's dark web leak sites.
LockBit's dark websites were taken down yesterday, showing seizure banners that revealed the disruption resulted from an ongoing international law enforcement action.
"We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," the message reads.
"We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the U.K., the FBI, Europol, and the Operation Cronos Law Enforcement Task Force."
Who is LockBit?
The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019 and has since been linked to or has claimed attacks on many high-profile organizations worldwide, including Boeing, the UK Royal Mail, the Continental automotive giant, and the Italian Internal Revenue Service.
- Most recently, Bank of America warned customers of a data breach after third-party service provider Infosys McCamish Systems (IMS) was hacked in an attack claimed by LockBit.
No comments:
Post a Comment