Major ransomware site taken down in international law enforcement sting

20 February 2024, 13:14

LockBit
LockBit. Picture: PA

Five Russians were charged by US authorities in relation to LockBit, which was used in a quarter of ransomware attacks last year.

A site used to sell the hacking software behind thousands of ransomware attacks has been taken down in an international law enforcement sting.

LockBit was used in a quarter of ransomware attacks last year and was described as the most prolific group of its kind in the past four years.

Thousands of victims were targeted internationally and more than 200 in the UK, including the Royal Mail and public service bodies including hospitals.

Another attack in September saw sensitive military information leaked when private security firm Zaun was targeted.

Director General of the National Crime Agency Graeme Biggar said: “We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

The gang behind the software used marketing tactics including paying 1,000 US dollars to customers who had the logo tattooed on themselves and payouts for anyone who spotted errors in their code.

US authorities have charged five Russians in relation to LockBit, and two other suspects have been arrested in Poland and Ukraine.

Around 200 cryptocurrency accounts have also been frozen by investigators.

The site had been used by LockBit to sell services, including ransomware, to hackers which would allow them to breach people’s computer networks.

Victims were locked out of their systems and asked to pay a ransom in order to get access to their data, causing billions in losses for the payments and the cost of recovering information.

NCA investigators found that the gang behind the ransomware attacks did not always delete data when victims paid ransoms.

Lockbit taken down
Experts have said the action against LockBit is a significant short term blow, but that the group may rebuild its operation (Tim Goode/PA)

It said it has found more than 1,000 decryption keys held by hackers and will be contacting UK-based victims to help them recover encrypted data.

Two of the suspects charged by the US are in custody, Mikhail Vasiliev, who is being held in Canada awaiting extradition, and Ruslan Magomedovich Astamirov, who is in the US.

The remaining three, Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev, are at large.

The NCA said the infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has also been seized.

Hundreds of people are thought to have been involved in running the group.

Mr Biggar said: “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.”

Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.

He said: “LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.

“That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.

“Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.

“They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.”

Experts said that while LockBit may rebuild its network, the law enforcement action is a major setback.

Chris Morgan, senior cyber threat intelligence analyst from cybersecurity firm ReliaQuest said: “The operation carried out by law enforcement against Lockbit could potentially be the most significant action taken against ransomware so far.

“The success of the law enforcement operation will be dictated over whether Lockbit are able to recover their operations.

“ReliaQuest has observed Lockbit as the most active and prolific ransomware groups for several years, who will likely have significant resources and backup infrastructure capable of recovering operations and showing resilience.

“The operation will however likely deal a significant short term blow to the group’s operations, sowing distrust throughout the groups affiliates over potential law enforcement compromise.”

Chester Wisniewski, director, global field CTO at cybersecurity firm Sophos said: “Lockbit rose to be the most prolific ransomware group since Conti departed the scene in mid-2022.

“The frequency of their attacks, combined with having no limits to what type of infrastructure they cripple has also made them the most destructive in recent years.

“Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement.

“We shouldn’t celebrate too soon though.

“Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.”

By Press Association

More Technology News

See more More Technology News

National Cyber Security Centre launch

National Cyber Security Centre names Richard Horne as new chief executive

The lights on the front panel of a broadband internet router, London.

Virgin Media remains most complained about broadband and landline provider

A person using a laptop

£14,000 being lost to investment scams on average, says Barclays

Europe Digital Rules

Meta unveils latest AI model as chatbot competition intensifies

AI technology

Younger children increasingly online and unsupervised, Ofcom says

Migrant Channel crossing incidents

Ministers will be told to use AI to screen migrants for threats, adviser says

Nothing smartphone

UK tech firm Nothing to integrate ChatGPT into its devices

The Google offices in Six Pancras Square, London

Google confirms more job cuts as part of company reorganisation

Person using laptop

Housing association reprimanded after residents’ data compromised

A screengrab of an arrest in connection with the LabHost website

Arrests made and thousands of victims contacted after scammer site taken offline

Social media apps on a smartphone

Three-quarters of public fear misinformation will affect UK elections – report

Businessman racing with a robot

TUC calls for AI to be regulated in the workplace

The ChatGPT website

AI chatbot ‘could be better at assessing eye problems than medics’

FastRig wingsail launch

Scottish-made wingsail set for sea tests after launch on land

Immigration

Rollout of eVisas begins as Government aims for digital immigration by 2025

Elon Musk in 2024

X may start charging new users to post, says Elon Musk