April 21, 2024

Investigators dismantle the Lockbit hacker group

More than 2,000 organizations in the West were attacked using software from the hacking group Lockbit. Now two suspected members of the group have been arrested. The criminals also apparently operated servers in Switzerland and Germany.

British postal service Royal Mail is also among Lockbit's victims. Pictured: A locked post box in London, January 24, 2024.

Neil Hall/European Patent Office

An international team of investigating authorities said it had dismantled the Lockbit hacker group. This was first reported by British law enforcement agency the National Crime Agency (NCA) on Tuesday morning.

Lockbit is accused of extorting thousands of companies and organizations using malware, stealing their data, encrypting it, publishing it and selling the data if a ransom is not paid.

according to Europol Communications Two suspected members of the group have now been arrested, one in Poland and the other in Ukraine.

Furthermore, more than 200 cryptocurrency wallets were frozen and 14,000 “rogue profiles” were blocked. Lockbit members allegedly used the profiles, whose platforms were unknown, to store data stolen from the extorted organizations and to prepare and carry out attacks. He writes IT portal Bleeping Computer.

Europol communications also show that Lockbit also runs infrastructure in this country. 34 servers connected to the group were shut down, including systems in Germany, Switzerland, the Netherlands, Finland, Australia and the USA.

Investigators also published three international arrest warrants and five indictments against suspected Lockbit members. Two of the accused are known: Russians Artur Sunjato and Ivan Kondratiev, known by his nickname “Busterlord”.

See also  Hungary 'no longer has a place in the European Union'

“Operation Cronos” publishes the penalty order on the Lockbit website

Law enforcement agencies from ten Western countries worked together in the coup: Germany, Switzerland, France, Great Britain, the Netherlands, Sweden, USA, Canada, Australia and Japan. On the Swiss side, the Federal Police and the Zurich Cantonal Police participated in the investigation.

The investigation team called “Operation Cronos” also took control of the Lockbit dark web site. Reuters shared a screenshot of the dark web site that was taken over on Tuesday morning with the slogan: “Site now under police control.”

Reuters distributed a screenshot of a dark web page captured from Lockbit on the morning of February 20, 2024.

Reuters distributed a screenshot of a dark web page captured from Lockbit on the morning of February 20, 2024.

Reuters

According to research by NZZ, investigators posted various reports on the Darknet website in the afternoon, including a punitive order for other Lockbit members and a recommendation for victims of cyber extortion to report to the police.

Screenshot of a dark web page captured from Lockbit on the afternoon of February 20, 2024.

Screenshot of a dark web page captured from Lockbit on the afternoon of February 20, 2024.

Reuters

“We have been infiltrated by hackers,” Graeme Biggar, director of Britain’s National Crime Agency, said in a statement. Media information.

It seems that the authorities do not have full control

It remains unclear how complete the authorities' control over Lockbit is. Security researcher Kevin Beaumont wrote Tuesday morning in Posted on Mastodon, That three Lockbit services are still online. One service is still offering the stolen data for sale. NZZ was able to confirm this in its own research on the Darknet.

See also  Millions of spiders weave giant webs in Australia

tracking mentioned British television station Sky News said a Lockbit representative said via an encrypted messaging app that the group had backup servers that had not been affected by law enforcement. The claim cannot be verified.

The data can now be decrypted

Lockbit is one of the most important hacking groups in the world. According to the US Department of Justice They were used in more than 2,000 attacks to extort $120 million.

In 2022, Lockbit was the most widely used ransomware. Among his most prominent victims are: British Postal Service Royal Mail And the French Ministry of Justice.

There is now hope for malware victims. According to Europol, authorities have created a tool that victims can use to decrypt their data. This is via the website “No more ransom” reachable.

According to British authorities, Lockbit appeared on Russian-language forums in 2019, leading some analysts to believe the group originated in Russia. On its dark web website, it listed its headquarters as the Netherlands and emphasized that it was apolitical and was only interested in money. However, one of the gang members, a 20-year-old Russian, was arrested in mid-2023.

Lockbit created a veritable ecosystem around its malware: the group sold the software to so-called affiliates, that is, partners who used it to carry out actual attacks on companies and authorities. In successful attacks, affiliates paid a portion of the ransom to Lockbit, according to one of the sources Indictment From the United States of America, 20 percent. So we are talking about ransomware as a service, i.e. extortion software as a service.

See also  Investigation against the former head of state - Tens of thousands stand in solidarity with Jair Bolsonaro in Brazil - News

It may now be conceivable that Lockbit is trying to rebuild its criminal enterprise. The authorities are aware of this too. “Our work doesn’t end here,” said NCA President Biggar. But now we know who the actors are and how they work.

Update from February 20, 11 p.m.: An earlier version of this article mentioned a post on X about a message Lockbit allegedly addressed to its business partners. The mailer has revealed that this message is fake.