The U. K. National Crime Agency (NCA ) announced on Tuesday that Operation Cronos, a specialized task force, had obtained LockBit’s source code as well as information about its activities and affiliates.
According to the organization, some of the data on LockBit’s systems belonged to victims who had paid the threat actors a ransom. This proves that, despite what the criminals have promised, even after payment, data is not always deleted.
Two LockBit actors were also detained in Poland and Ukraine, according to the announcement. The group’s more than 200 cryptocurrency accounts have all been frozen. Additionally, two additional Russian nationals who are accused of carrying out LockBit attacks have had their indictments revealed in the U.S.
According to the U.S. Department of Justice ( DoJ), Artur Sungatov and Ivan Gennadievich Kondratiev ( also known as Bassterlord ) have been charged with using LockBit against numerous victims in the United States, including companies operating across the country in manufacturing and other industries as well as victims worldwide in semiconductor and related industries.
In addition, Kondratyev has been charged with three criminal counts for using the Sodinokibi, also known as REvil, ransomware variant to extort money from an Alameda County, California-based corporate victim.
The NCA referred to LockBit as the “world’s most harmful cyber crime group” during an international disruption campaign, which led to this development.
The organization claimed that it invaded LockBit’s entire criminal enterprise and took control of its services as part of the takedown efforts. This covers both the public-facing leak site hosted on the dark web and the affiliates ‘ administrative environments.
More than 1, 000 decryption keys have also been recovered from the seized LockBit servers, along with 34 servers that are affiliated with the company.
Since its late 2019 debut, LockBit has operated a ransomware-as-service ( RaaS ) scheme in which encryptors are granted licenses to affiliates, who carry out the attacks in return for payment.
Threat actors put pressure on victims to pay in order to decrypt their files and stop their data from being published. The attacks use a strategy known as double extortion to steal sensitive data before encrypting it.
According to Europol, the ransomware group is also infamous for testing out novel ways to coerce their victims into making payments.
One such technique is triple extortion, which uses distributed denial-of-service ( DDoS ) attacks as an additional layer of pressure in addition to the conventional methods of encrypting the victim’s data and threatening to leak it.
A unique data exfiltration tool with the code name StealBit facilitates the data theft. Authorities from three nations, including the United States, have since taken control of the infrastructure that was used to organize and transfer victim data.
Over 2,500 people are thought to have died as a result of LockBit attacks worldwide, which also generated more than$ 120 million in illegal profits, according to Eurojust and DoJ. No More Ransom also offers a decryption tool that can be used for free to recover files that have been encrypted by the ransomware.
According to NCA Director General Graeme Biggar,” we have hacked the hackers, taken control of their infrastructure, seized their source code, and obtained keys that will aid victims in decrypting their systems.”
LockBit is currently locked out. We have harmed a group’s capacity and, more importantly, credibility, which depended on anonymity and secrecy. It’s possible that LockBit wants to relaunch its criminal business. But we are aware of their identities and methods of operation.