‘World’s most harmful’ cybercriminal group disrupted in 11-nation operation


Global law enforcement agencies said Tuesday that they have significantly infiltrated the operations of LockBit, one of the world’s most prolific criminal ransomware gangs, in an international operation that aimed to disrupt the group’s repeated attacks.

According to a statement issued Tuesday, an international task force led by Britain’s National Crime Agency, representing 11 countries’ law enforcement agencies including the FBI, was behind the investigation into LockBit. “After infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their entire criminal enterprise,” the British agency said.

The malicious ransomware variant has been deployed by criminal hackers to extort tens of millions of dollars from victims around the world — ranging from global banks to local schools. It is widely believed to be operated from Russia.

As part of the joint operation, two people were arrested Tuesday morning in Poland and Ukraine, and over 200 cryptocurrency accounts were frozen, according to the NCA’s statement. In the United States, the Department of Justice said it has criminally charged two Russian nationals with using LockBit to carry out ransomware attacks. It said both are in U.S. custody.

In a statement, NCA Director General Graeme Biggar described LockBit as the “most harmful cybercrime group” in the world. “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out.”

British law enforcement officials said they obtained more than 1,000 “decryption keys” that could be used to help recover victims’ stolen data and seized the wider infrastructure deployed by LockBit to steal that data, as well as servers belonging to 28 of its affiliates.

The first sign of this news appeared late Monday, when a notice appeared on LockBit’s website that read: “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

Criminals use LockBit ransomware to hack into the internal databases of targeted organizations, extract sensitive data and attempt to extort money from victims. According to the Justice Department, the malicious software has been used to extort more than $120 million in ransom payments from over 2,000 victims. In 2022, it was the most deployed piece of ransomware in the world, according to the U.S. Cybersecurity and Infrastructure Security Agency.

“LockBit is one of the most significant ransomware threats, and many would argue it to be the most prolific group today,” Jason Nurse, a cybersecurity expert at the University of Kent in England, said in an email Tuesday. “These groups are well-funded, operate like a business and are extremely careful in their approach,” he added, describing the takedown as significant.

Did a ransomware gang mess up by attacking a U.S. arm of China’s biggest bank?

U.S. officials categorize LockBit as a “Ransomware-as-a-Service” model, meaning it provides third-party criminals with access to a variant of the group’s ransomware in return for a one-time fee or ongoing payments. “This substantially increases the scale of LockBit attacks and has helped it become so prolific,” Nurse said.

According to the FBI, the tool has been used to execute more than 1,700 cyberattacks in the United States, its targets ranging from local schools to global aerospace giants.

Nurse said LockBit’s creators appear to be financially motivated, using their malware to compromise systems and demand ransoms. “If payments aren’t made, the group threatens to publish stolen data on leak websites, a tactic known as double extortion,” he said. In November, Reuters reported that LockBit published data stolen from Boeing after a ransomware attack confirmed by the company.

The same month, LockBit perpetrated a ransomware attack on the financial services division of ICBC, a major Chinese bank, rocking financial markets in a rare attack on a banking-sector target. The tool was also used to cripple Britain’s mail service last year, disrupting international parcel exports for a week.

In 2022, LockBit issued an apology after it said its ransomware was used to target a children’s hospital. It offered the hospital a decryptor to unlock its systems — and reportedly issued policy guidance that banned criminals from using its software in attacks “where damage to the files could lead to death.”

A royal mess in the U.K. points to the risks of cyberattacks on mail delivery

British law enforcement agencies have previously warned against focusing too much on tackling individual variants of ransomware, comparing the strategy to a game of whack-a-mole. “While on the surface, an attack can be attributed to a piece of ransomware (such as Lockbit), the reality is more nuanced, with a number of cybercriminal actors involved throughout the process,” the NCA said. Disrupting individual ransomware variants “is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed,” the agency said.

Nurse said the wider effect of Operation Cronos in disbanding LockBit’s criminal operations will depend on whether law enforcement agents succeed in also seizing source code, details of victims and chats between affiliates.

“Assuming this is the case, the group and especially its affiliates may disband their operations, even if only for some period for fear that the National Crime Agency of the U.K., the FBI or Europol could find out their identities and look to arrest them,” he said.


Source link

Leave a Comment