Law enforcement disrupts prolific ransomware group LockBit
LONDON — Two people have been arrested after law enforcement infiltrated and disrupted Rockbit, a prolific ransomware syndicate that extracted $120 million from thousands of victims around the world, the U.K. and U.S. say. , European officials announced on Tuesday.
The UK’s National Crime Agency (NCA) says it led an international operation targeting Rockbit, which offers ransomware as a service to so-called affiliates who infect victims’ networks with computer-destroying malware and negotiate ransom payments. did.
Officials said in a joint press conference that the operation resulted in two arrests and the seizure of 200 cryptocurrency accounts in Poland and Ukraine. Meanwhile, the Justice Department has lifted charges against two more people, both Russian nationals.
Authorities said they gained comprehensive access to Rockbit’s systems, took control of its infrastructure, and obtained keys to help victims decrypt their data.
NCA director general Graham Biggar said: We have hacked the hackers. LockBit has been locked out.
Hours before the announcement, the homepage of Rockbit’s dark web leak site was replaced with flags from the United Kingdom, the United States, and several other countries, along with a statement stating that the site was now under law enforcement control.
The message said the NCA is working closely with the FBI and international law enforcement force Operation Kronos, which includes Europol, Germany, France, Japan, Australia, Agencies from New Zealand, Canada and other countries are also said to be involved. , said.
LockBit has been active since 2019 and has been the most prolific ransomware syndicate for two years in a row. The group accounted for 23% of the roughly 4,000 attacks worldwide last year in which ransomware groups posted data stolen from victims and extorted payment, according to cybersecurity firm Palo Alto Networks. .
Rockbit has been linked to attacks on Britain’s Royal Mail, the British National Health Service, aircraft manufacturer Boeing, international law firm Allen & Overy, and China’s largest bank, ICBC.
Ransomware is the most expensive and most destructive form of cybercrime, causing significant damage not only to businesses but also to local governments, court systems, hospitals, and schools. Combat is difficult because most gangs are based in former Soviet Union countries, beyond the reach of Western justice.
Tuesday’s announcement brings the number of people the United States has indicted since the operation began to five. Three Russians have been indicted so far, two in Canada, one in the United States, and the others are still wanted.
Authorities said they seized the servers the gang used to organize and transfer victims’ data and gained access to nearly 1,000 potential decryption tools. They obtained the source code of the Rockbit platform and a large amount of information about the people the gang was working with.
Brett Callow, an analyst at cybersecurity firm Emsisoft, said the operation was probably the most significant ransomware attack to date. Although it would probably mean the end of the brand, such groups regularly re-emerge under new names. Callow said that in the long term, this operation alone will not reduce the volume of ransomware attacks.
A rare offensive cyber operation for the UK Crime Agency, the operation aimed to steal all of Rockbits’ data and destroy its infrastructure, significantly exacerbating the cybercrime threat.
LockBit is controlled by Russian speakers and does not attack former Soviet Union countries. Officials have suggested that Rockbit may have hundreds of members, but Biggar said there is no evidence that Russia or other countries are behind the syndicate.
They are criminals, but the lack of repression by Russia shows that the Russian government tolerates the gang’s activities, he said.
Today, we have dealt a decisive blow not only to their operations but also, importantly, to their reputation, said Jean-Philippe Lecouf, Europol’s Deputy Director-General for Operations. said.
Cybersecurity experts say how many details law enforcement has about Rockbit affiliates’ negotiations with victims, including who secretly paid the ransom and how much they paid. I’m wondering if there is. Victims are usually reluctant to publicly admit that ransomware is the culprit, due to the specialized companies hired to respond to the attack.
Officials told reporters the gang targeted 2,000 victims around the world. Mr Biggar said this figure would be a significant underestimate.
Last June, a U.S. federal agency issued an advisory attributing approximately 1,700 ransomware attacks in the U.S. since 2020 to LockBit, with victims including local governments, county governments, and public higher education. , K-12 schools and emergency services, he said.
The indicted Russians, Artur Sungatov and Ivan Kondratyev, are accused of introducing LockBit to U.S. manufacturing companies and semiconductor companies around the world. Kondratiev allegedly used the system against municipal and civilian targets in Oregon, Puerto Rico, and New York, and other victims in Singapore, Taiwan, and Lebanon, while Sungatov used it against municipal and civilian targets in Minnesota, Indiana, Puerto Rico, and Wisconsin. It is said to have been used against manufacturing, logistics, and insurance companies. Florida and New Mexico.
The U.S. Treasury Department imposed sanctions on Mr. Sungatov and Mr. Kondratyev in what it called the first phase of an ongoing collaboration with the Department of Justice, FBI, and international partners targeting Rockbit.
