Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates – Krebs on Security

neub9
By neub9
3 Min Read

U.S. and U.K. authorities have successfully taken down darknet websites run by LockBit, a notorious group responsible for over 2,000 ransomware attacks worldwide, extorting a staggering $120 million in payments. Instead of displaying stolen victim data, LockBit’s victim shaming website now offers free recovery tools and updates on arrests and criminal charges involving LockBit affiliates. Investigators repurposed LockBit’s victim shaming website to share press releases and free decryption tools for victims. Dubbed “Operation Cronos,” the law enforcement action involved the confiscation of nearly 30 servers, the arrest of two alleged LockBit members, the unsealing of two indictments, the release of a free LockBit decryption tool, and the freezing of more than 200 cryptocurrency accounts believed to be linked to the gang’s activities. According to the U.S. Department of Justice (DOJ), LockBit members have targeted thousands of victims in the U.S. and globally since emerging in September 2019. The group has made hundreds of millions in ransom demands and received over $120 million in ransom payments. LockBit operated as a ransomware-as-a-service group, providing everything from hosting and web domains to malware development and maintenance, while affiliates were responsible for finding new victims and could receive 60 to 80 percent of any ransom amount. The European police agency Europol stated that the months-long operation led to the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers across several countries. Two suspected LockBit actors were arrested in Poland and Ukraine, with indictments unsealed against two Russian men alleged to be active members of LockBit. In January 2022, the U.S. unsealed indictments against two alleged LockBit affiliates – Mikhail Matveev and Mikhail Vasiliev. LockBit was known to recruit affiliates that worked with multiple ransomware groups simultaneously, and the impact of this takedown on competing ransomware affiliate operations remains unclear. The FBI and U.K.’s National Crime Agency (NCA) appear to be taunting LockBit members with their seizure notices, including reusing the countdown timer previously used for victim organizations to now count down to the doxing of “LockBitSupp.” LockBitSupp responded by placing a $10 million bounty on his own head, expressing disappointment at the FBI’s lack of a reward for his doxing or arrest. Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is clearly trolling LockBit and LockBitSupp. In a press conference, the FBI said that Operation Cronos involved investigative assistance from several international law enforcement agencies. The Justice Department advised LockBit victims to contact the FBI to determine if their systems can be decrypted. Additionally, the Japanese Police, with support from Europol, released a recovery tool for files encrypted by the LockBit 3.0 Black Ransomware.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *