LockBit ransomware gang hacked by police

Investigators were able to cripple parts of the dark web infrastructure of notorious cybercriminals. This is what we know about “Operation Kronos”, which, according to Europol, also affects servers in Switzerland.

Follow me

A major blow to LockBit, one of the most dangerous ransomware gangs. Since Monday evening, the Russian cybercriminals' home page has received a message from the police informing them of the seizure:

Warning on the website accessible via the Tor anonymity network: The operation is led by the British Criminal Police, the FBI and Europol. Screenshot: Watson

Who participates in the international process?

According to a Europol announcement, law enforcement authorities from ten countries have joined forces to form an international task force called “Operation Kronos”:

According to an announcement made Tuesday afternoon, the Federal Federal Police as well as the Zurich Public Prosecutor's Office and the cantonal police are part of the task force in Switzerland.

The international workforce extends across four continents.Chart: Europol

According to Europol, authorities in Finland, New Zealand, Poland and Ukraine provided support.

FBI cybercrime specialists have been investigating the ransomware ring, which also attacked several companies in Switzerland, for years. In June 2023, the Zurich canton police were involved in a US-led strike and provided legal assistance in a criminal case against a 20-year-old Russian citizen.

As heise.de wrote, the name of the operation could refer to the Greek mythological character who ate his children for fear of losing power.

According to the report, security researchers created an internal conflict at LockBit Public last week. One of the gang's associates felt betrayed and thus obtained a ban against the LockBit boss on well-known online forums for cybercriminals. However, it is not entirely clear whether this dispute is related to the current operation carried out by law enforcement authorities.

What is distinctive about the investigators' approach?

Apparently IT specialists from the investigative authorities managed to hack the hackers: malware research group VX-Underground Writes on X (Twitter)LockBit sites on the Darknet are being exploited Serious security vulnerability in PHP It has been deactivated. The LockBit administrator is said to have confirmed the hacker attack himself.

Law enforcement also left a note in the password-protected internal area of ​​the platform that LockBit partners use to direct cyberattacks. There, investigators wrote, they were in possession of “the source code, details of the victims they attacked, the amount of money extorted, stolen data, chats, and much more.”

The prosecutor's letter mentions “Lockbitsupp” – the alias for the cybercriminal who acts as a spokesman for the gang.Screenshot: twitter.com

According to a message on the seized Darknet page, the authorities wanted to provide more information about the case at 12:30 pm (CET). In fact, Europol has now published a detailed media release about the strike against LockBit. He talks about “a major achievement in combating cybercrime.”

The most important points at a glance:

As part of the operation, the FBI gained access to nearly 1,000 decryption keys, according to US media reports. These inherently secret digital keys can enable recovery of encrypted data and end ongoing LockBit extortion schemes. The FBI runs the site lockbitvictims.ic3.govwhere American victims can register to receive support.

What do we know about the perpetrators?

Europol said that at the request of French judicial authorities, two LockBit representatives were arrested in Poland and Ukraine. French and American judicial authorities also issued three international arrest warrants and five indictments.

On Tuesday, the US judicial system published indictments against two Russian citizens for their alleged role in the LockBit cyberattacks: Artur Sungatov and Ivan Gennadievich Kondratiev, known by the alias “Busterlord.”

The two wanted men remain at large, and in addition to Tuesday's indictment, the US Treasury Department has also imposed sanctions against them.

Brett Leatherman, FBI Assistant Director of Cyber ​​OperationsHe described the men as “original members, at least since LockBit 1.0.”

The US State Department will also Rewards up to $10 million For information leading to the identification or discovery of LockBit leaders, as well as $5 million for information about people involved in LockBit activities.

How does LockBit interact?

The ransomware gang appears to have sent its criminal partners a detailed message informing them of their actions following the police breach. A screenshot of the post was shared by X.

The irony of history: Cybercriminals have now allegedly launched an investigation to find out how their servers were hacked. Support is being provided to affected business partners.

The latest action raises questions about how hard the hit has been to LockBit. In previous operations against these groups, their activities were temporarily suspended before returning with new infrastructure.

The operation against LockBit came two months after the US judicial system struck a blow against another dangerous ransomware gang from Russia: ALPHV (also known as BlackCat). However, these cybercriminals are still active.

What makes the LockBit gang so dangerous?

LockBit has been active since September 2019 and is considered the most active and notorious ransomware gang in recent history. Those responsible rely on a “ransomware as a service” (Raas) business model, which means they provide the technical infrastructure needed for attacks and extortion to third parties for a fee.

Cyberattacks on LockBit have so far claimed more than 2,000 victims around the world, with attacks concentrated in the West. It is estimated that the perpetrators extorted more than US$91 million from US organizations alone.

The ransomware gang is notorious for experimenting with new methods to force victims to pay ransoms, Europol wrote. Triple extortion is one such method: apart from encrypting the victim's data on the servers themselves and threatening to pass on stolen data, perpetrators also use DDoS attacks – that is, server overload attacks – as an additional means of pressure.

Heise.de notes that the coordinated shutdown of the LockBit infrastructure coincides with the arrest of a 31-year-old Ukrainian citizen. The man previously gained unauthorized access to the Google accounts and online banking accounts of victims in North America.

According to US reports, the indictments unveiled on Tuesday are the fourth and fifth cases filed against alleged LockBit members since 2022:

Update to follow…

sources