11-nation operation takes down world’s ‘most harmful’ cybercriminal group

11-nation operation takes down world’s ‘most harmful’ cybercriminal group

11-nation operation takes down world’s ‘most harmful’ cybercriminal group

An international coalition of law enforcement agencies in 11 countries announced Tuesday that it had taken control of computers and software at the heart of the world’s most prolific ransomware group, giving victims hope that they won’t be forced to make ransom payments to recover data stolen from their computer systems.

The infrastructure seized from the LockBit ransomware gang included hundreds of electronic keys needed to recover the stolen data as well as the site on the dark web, where LockBit leaked data from victims who refused to pay ransoms in cryptocurrency, officials said.

The law enforcement effort, dubbed Operation Cronos, was led by the United Kingdom’s National Crime Agency and included the FBI and other enforcement agencies. The coalition then used the group’s site to mimic its previous operation and begin leaking information about LockBit, posting a countdown timer for files still to come, including one teasing forthcoming information about the anonymous frontman for the gang.

“It’s a thing of beauty. The NCA and FBI are trolling LockBit aggressively,” said Don Smith, vice president at Secureworks, which had its analysis of the group republished by the authorities on the hackers’ site.

Criminals who hack into the internal networks of targeted organizations use ransomware to encrypt the data there and render it unusable. They demand money for the decryption key and sometimes not to publish data they have stolen. According to the Justice Department, LockBit malware has been used to extort more than $120 million in ransom payments from more than 2,000 victims.

The first sign of the takeover appeared late Monday, when a notice appeared on LockBit’s site that read: “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

U.K. and U.S. officials said they won control of 200 financial accounts holding an undisclosed amount of cryptocurrency, the programming source code used to encrypt data and sneak it out of corporate networks, and records of electronic chats with the LockBit affiliates who conducted the actual hacking. One accused participant was arrested in Ukraine and another in Poland, with both now in American custody, while an indictment was unsealed against two others who are presumed to be inside Russia.

LockBit malware has been responsible for about a quarter of all ransomware attacks in the past two years, Secureworks estimated. LockBit is widely believed to be operated from Russia, though its ties to the Russian government, if any, are uncertain.

In 2022, it was the most-deployed piece of ransomware in the world, according to the U.S. Cybersecurity and Infrastructure Security Agency.

LockBit has published data stolen from aerospace giant Boeing and upset financial markets with an attack on the financial services division of a major Chinese bank, ICBC. The tool was also used to cripple Britain’s mail service last year, disrupting international parcel exports for a week. It has hit numerous U.S. cities, school systems and counties, recently including Fulton County in Georgia, where former president Donald Trump faces charges related to his alleged efforts to overturn the 2020 election.

Fulton County officials said Wednesday that some its services, including technology used in its justice system, remained disrupted more than two weeks after the attack — requiring that certain meetings take place in person rather than over the phone or other communications platforms.

NCA Director General Graeme Biggar called LockBit the “most harmful cybercrime group” in the world. “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out,” he said in a statement.

Officials did not reveal how they succeeded in seizing LockBit’s site, but one person close to the operation said it may have taken as long as a year. With ransomware groups hitting critical infrastructure and extorting as much as a $1 billion annually, many acting from within Russia’s borders, tech-enabled takedowns have become a top priority, sometimes getting assistance from intelligence and military agencies as well as law enforcement.

Previous takedowns and arrests have broken some crime rings or dented them. But because some of the top groups operate in a decentralized fashion, essentially offering their services for hire to cybercriminals seeking to penetrate an organization, other ransomware groups were able to offer similar services. In this case, the investigators are threatening the hackers themselves, known as affiliates, warning them on the seized site that they may be in touch and inviting them to come forward first.

LockBit became the top ransomware operation by giving its affiliates, who keep about 80 percent of the ransoms, unusual latitude to negotiate with their targets and publish the pilfered data themselves. Other ransomware gangs handle such duties on behalf of the hackers.

That deeper collaboration between LockBit and the affiliates may have helped investigators penetrate the network. The coalition said it also had gained control of 28 servers belonging to affiliates.

“LockBit is one of the most significant ransomware threats, and many would argue it to be the most prolific group today,” Jason Nurse, a cybersecurity expert at the University of Kent in England, said in an email. “These groups are well-funded, operate like a business and are extremely careful in their approach,” he added.

Did a ransomware gang mess up by attacking a U.S. arm of China’s biggest bank?

In 2022, LockBit issued an apology after it said its ransomware was used to target a children’s hospital. It offered the hospital a code to unlock its systems — and reportedly issued policy guidance that banned criminals from using its software in attacks “where damage to the files could lead to death.”

But the loose affiliate model means that every few months, someone installed LockBit on a sensitive target anyway, researchers said.

A royal mess in the U.K. points to the risks of cyberattacks on mail delivery

British law enforcement agencies have previously warned against focusing too much on tackling individual variants of ransomware. Disrupting individual ransomware variants “is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed,” the NCA said.

But U.K. and U.S. officials hope that LockBit and its affiliates will disband their operations, at least temporarily, out of concern that the authorities will be able to identify them and arrest at least those affiliates who are outside Russia and China.

News Related

OTHER NEWS

Volkswagen "very worried" about the future of its operations in SA

A senior Volkswagen executive involved in a global cost-cutting strategy said on Friday, 24 November, he was “very worried” about the future of the company’s operations in South Africa, which ... Read more »

Liz Truss backs Trump with call for Republican presidential victory

Photograph: Toby Melville/Reuters Liz Truss, the shortest-serving prime minister in British history, who was famously shown to have a shorter shelf life than a lettuce, has effectively backed Donald Trump ... Read more »

Standard Bank treasonous? We're literally helping to keep the lights on says CEO

Standard Bank treasonous? We're literally helping to keep the lights on says CEO Bruce Whitfield speaks to Lungisa Fuzile, Standard Bank SA CEO. Standard Bank is one of 28 banks ... Read more »

Israel, Hamas agree to extend truce for two days; Musk ‘would like to help rebuild Gaza’

Israel, Hamas agree to extend truce for two days; Musk ‘would like to help rebuild Gaza’ The UN said many people in Gaza still had no food or cooking fuel ... Read more »

This is what Pitso Mosimane said about the African Football League

Mamelodi Sundowns’ former coach, Pitso Mosimane, dismissed the African Football League Jingles shared his opinion and compared it to the CAF league and said that it was a mere tournament ... Read more »

Take note of these N3 road works between Westville and Paradise Valley

Take note of these N3 road works between Westville and Paradise Valley The N3 between the Westville viaduct and Paradise Valley interchange will be partially closed to traffic for the ... Read more »

UKZN medical student bags 2023 Health Excellence Rising Star Award

UKZN medical student bags 2023 Health Excellence Rising Star Award Durban — One of the country’s most progressive young minds in the medical field, fifth-year University of KwaZulu-Natal (UKZN) medical ... Read more »
Top List in the World