Major ransomware site taken down in international law enforcement sting
20 February 2024, 13:14
Five Russians were charged by US authorities in relation to LockBit, which was used in a quarter of ransomware attacks last year.
A site used to sell the hacking software behind thousands of ransomware attacks has been taken down in an international law enforcement sting.
LockBit was used in a quarter of ransomware attacks last year and was described as the most prolific group of its kind in the past four years.
Thousands of victims were targeted internationally and more than 200 in the UK, including the Royal Mail and public service bodies including hospitals.
Another attack in September saw sensitive military information leaked when private security firm Zaun was targeted.
The NCA reveals details of an international disruption campaign targeting the world’s most harmful cyber crime group, Lockbit.
Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com/m00VFWkR9Z
— National Crime Agency (NCA) (@NCA_UK) February 20, 2024
Director General of the National Crime Agency Graeme Biggar said: “We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
The gang behind the software used marketing tactics including paying 1,000 US dollars to customers who had the logo tattooed on themselves and payouts for anyone who spotted errors in their code.
US authorities have charged five Russians in relation to LockBit, and two other suspects have been arrested in Poland and Ukraine.
Around 200 cryptocurrency accounts have also been frozen by investigators.
The site had been used by LockBit to sell services, including ransomware, to hackers which would allow them to breach people’s computer networks.
Victims were locked out of their systems and asked to pay a ransom in order to get access to their data, causing billions in losses for the payments and the cost of recovering information.
NCA investigators found that the gang behind the ransomware attacks did not always delete data when victims paid ransoms.
It said it has found more than 1,000 decryption keys held by hackers and will be contacting UK-based victims to help them recover encrypted data.
Two of the suspects charged by the US are in custody, Mikhail Vasiliev, who is being held in Canada awaiting extradition, and Ruslan Magomedovich Astamirov, who is in the US.
The remaining three, Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev, are at large.
The NCA said the infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has also been seized.
Hundreds of people are thought to have been involved in running the group.
Mr Biggar said: “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.”
U.S. and U.K. Disrupt LockBit Ransomware Variant
U.S. Indictment Charges Two Russian Nationals with Attacks Against Multiple U.S. and International Victims; FBI Seizes Infrastructure; and Department of Treasury Takes Additional Action Against LockBit
— U.S. Department of Justice (@TheJusticeDept) February 20, 2024
Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.
He said: “LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.
“That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.
“Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.
“They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.”
Experts said that while LockBit may rebuild its network, the law enforcement action is a major setback.
Chris Morgan, senior cyber threat intelligence analyst from cybersecurity firm ReliaQuest said: “The operation carried out by law enforcement against Lockbit could potentially be the most significant action taken against ransomware so far.
“The success of the law enforcement operation will be dictated over whether Lockbit are able to recover their operations.
“ReliaQuest has observed Lockbit as the most active and prolific ransomware groups for several years, who will likely have significant resources and backup infrastructure capable of recovering operations and showing resilience.
“The operation will however likely deal a significant short term blow to the group’s operations, sowing distrust throughout the groups affiliates over potential law enforcement compromise.”
Chester Wisniewski, director, global field CTO at cybersecurity firm Sophos said: “Lockbit rose to be the most prolific ransomware group since Conti departed the scene in mid-2022.
“The frequency of their attacks, combined with having no limits to what type of infrastructure they cripple has also made them the most destructive in recent years.
“Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement.
“We shouldn’t celebrate too soon though.
“Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.”
