May 21, 2024

LockBit ransomware gang hacked by police

Investigators were able to cripple parts of the dark web infrastructure of notorious cybercriminals. This is what we know about “Operation Kronos”, which, according to Europol, also affects servers in Switzerland.

02/20/2024, 07:08February 20, 2024 at 1:54 pm

Daniel Shorter

Follow me

A major blow to LockBit, one of the most dangerous ransomware gangs. Since Monday evening, the Russian cybercriminals' home page has received a message from the police informing them of the seizure:

“The site is now under the control of law enforcement.”

Leak page seized: Announcement from investigating authorities on LockBit ransomware gang's Darknet page (February 20, 2024).

Warning on the website accessible via the Tor anonymity network: The operation is led by the British Criminal Police, the FBI and Europol. Screenshot: Watson

Who participates in the international process?

According to a Europol announcement, law enforcement authorities from ten countries have joined forces to form an international task force called “Operation Kronos”:

  • Australia,
  • Germany,
  • France,
  • Great Britain,
  • Japan,
  • Canada,
  • Holland,
  • Sweden,
  • Switzerland,
  • United State.

According to an announcement made Tuesday afternoon, the Federal Federal Police as well as the Zurich Public Prosecutor's Office and the cantonal police are part of the task force in Switzerland.

Operation Kronos: Task Force Against LockBit Ransomware Gang.

The international workforce extends across four continents.Chart: Europol

According to Europol, authorities in Finland, New Zealand, Poland and Ukraine provided support.

FBI cybercrime specialists have been investigating the ransomware ring, which also attacked several companies in Switzerland, for years. In June 2023, the Zurich canton police were involved in a US-led strike and provided legal assistance in a criminal case against a 20-year-old Russian citizen.

As wrote, the name of the operation could refer to the Greek mythological character who ate his children for fear of losing power.

According to the report, security researchers created an internal conflict at LockBit Public last week. One of the gang's associates felt betrayed and thus obtained a ban against the LockBit boss on well-known online forums for cybercriminals. However, it is not entirely clear whether this dispute is related to the current operation carried out by law enforcement authorities.

What is distinctive about the investigators' approach?

Apparently IT specialists from the investigative authorities managed to hack the hackers: malware research group VX-Underground Writes on X (Twitter)LockBit sites on the Darknet are being exploited Serious security vulnerability in PHP It has been deactivated. The LockBit administrator is said to have confirmed the hacker attack himself.

See also  The last generation: climate stickers obscure airports

Law enforcement also left a note in the password-protected internal area of ​​the platform that LockBit partners use to direct cyberattacks. There, investigators wrote, they were in possession of “the source code, details of the victims they attacked, the amount of money extorted, stolen data, chats, and much more.”

Alleged screenshot from LockBit gang admin area.

The prosecutor's letter mentions “Lockbitsupp” – the alias for the cybercriminal who acts as a spokesman for the gang.Screenshot:

According to a message on the seized Darknet page, the authorities wanted to provide more information about the case at 12:30 pm (CET). In fact, Europol has now published a detailed media release about the strike against LockBit. He talks about “a major achievement in combating cybercrime.”

The most important points at a glance:

  • Law enforcement authorities from 10 European countries have disrupted the criminal activities of the LockBit ransomware group “at all levels and severely damaged its capabilities and credibility.”
  • The international raid was the result of a complex investigation led by the UK's National Crime Agency as part of an international task force called Operation Kronos which was coordinated at European level by Europol and Eurojust.
  • The multi-month operation resulted in investigators compromising “the main LockBit platform and other key infrastructure that enabled the criminal enterprise.”
  • 34 servers in the Netherlands, Germany, Finland, France, Great Britain, Switzerland, Australia and the USA have been shut down.
  • Law enforcement authorities also froze more than 200 cryptocurrency accounts linked to the criminal organization.

As part of the operation, the FBI gained access to nearly 1,000 decryption keys, according to US media reports. These inherently secret digital keys can enable recovery of encrypted data and end ongoing LockBit extortion schemes. The FBI runs the site lockbitvictims.ic3.govwhere American victims can register to receive support.

What do we know about the perpetrators?

Europol said that at the request of French judicial authorities, two LockBit representatives were arrested in Poland and Ukraine. French and American judicial authorities also issued three international arrest warrants and five indictments.

See also  Extreme heat - 500 deaths in five days of heat wave in Canada - News

On Tuesday, the US judicial system published indictments against two Russian citizens for their alleged role in the LockBit cyberattacks: Artur Sungatov and Ivan Gennadievich Kondratiev, known by the alias “Busterlord.”

The two wanted men remain at large, and in addition to Tuesday's indictment, the US Treasury Department has also imposed sanctions against them.

Brett Leatherman, FBI Assistant Director of Cyber ​​OperationsHe described the men as “original members, at least since LockBit 1.0.”

The US State Department will also Rewards up to $10 million For information leading to the identification or discovery of LockBit leaders, as well as $5 million for information about people involved in LockBit activities.

How does LockBit interact?

The ransomware gang appears to have sent its criminal partners a detailed message informing them of their actions following the police breach. A screenshot of the post was shared by X.

The irony of history: Cybercriminals have now allegedly launched an investigation to find out how their servers were hacked. Support is being provided to affected business partners.


The latest action raises questions about how hard the hit has been to LockBit. In previous operations against these groups, their activities were temporarily suspended before returning with new infrastructure.

“LockBit will not be able to regain control of the servers used by the actors.”

Brett Leatherman, FBI

The operation against LockBit came two months after the US judicial system struck a blow against another dangerous ransomware gang from Russia: ALPHV (also known as BlackCat). However, these cybercriminals are still active.

What makes the LockBit gang so dangerous?

LockBit has been active since September 2019 and is considered the most active and notorious ransomware gang in recent history. Those responsible rely on a “ransomware as a service” (Raas) business model, which means they provide the technical infrastructure needed for attacks and extortion to third parties for a fee.

Cyberattacks on LockBit have so far claimed more than 2,000 victims around the world, with attacks concentrated in the West. It is estimated that the perpetrators extorted more than US$91 million from US organizations alone.

See also  French students condemn school violations on TikTok

The ransomware gang is notorious for experimenting with new methods to force victims to pay ransoms, Europol wrote. Triple extortion is one such method: apart from encrypting the victim's data on the servers themselves and threatening to pass on stolen data, perpetrators also use DDoS attacks – that is, server overload attacks – as an additional means of pressure. notes that the coordinated shutdown of the LockBit infrastructure coincides with the arrest of a 31-year-old Ukrainian citizen. The man previously gained unauthorized access to the Google accounts and online banking accounts of victims in North America.

According to US reports, the indictments unveiled on Tuesday are the fourth and fifth cases filed against alleged LockBit members since 2022:

  • Mikhail Vasiliev, 34, a dual Russian-Canadian citizen, was arrested in Canada in November 2022. He pleaded guilty to charges of cyber extortion and weapons possession, and is expected to be extradited to the United States.
  • Ruslan Magomedovich Astamerov, a Russian national, was arrested in Arizona in June 2023 for his alleged role in the LockBit attacks.
  • Another Russian national, Mikhail Pavlovich Matveev, also known by the alias Wazawaka, was indicted in May 2023 for his role in ransomware attacks that included the LockBit ransomware and its Babuk and Hive variants.

Update to follow…


The most dangerous ransomware gangs in the world


The most dangerous ransomware gangs in the world

In this photo series, you'll learn about some of the most dangerous ransomware gangs, which often attack with the help of criminal business partners and almost everywhere in Europe and North America.

Source: shutterstock

Post it on FacebookShare on X

“Say His Name” – U2 pays tribute to Alexei Navalny in concert in Las Vegas

Video: Twitter

You may also be interested in: