Updated article with additional information on the operation on February 20 at 7:21 EST: .
In an international crackdown operation, law enforcement detained two members of the LockBit ransomware gang in Poland and Ukraine, developed a free decryption tool, and took control of more than 200 crypto wallets.
Additionally, five indictments and three international arrest warrants for other LockBit threat actors were issued by French and American judicial authorities.
The U.S. Justice Department released two indictments against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev ( also known as Bassterlord ), for their involvement in the LockBit attacks.
Previous accusations against Lockbit ransomware actors include Mikhail Vasiliev ( November 2022 ), Ruslan Magomedovich Astamirov ( June 2023 ), and Mihail Pavlovich Matveyv, also known as Wazawaka.
The U.S. Department of Affairs, Treasury Department, Office of Foreign Assets Control, and Sungatov and Kondratiev were also sanctioned today.
Cronos Operation
The global LockBit crackdown was coordinated by Cronos Operation, a task force headed by the U.K. National Crime Agency (NCA) and coordinated in Europe by Europol and Eurojust. The investigation began in April 2022 at Eurojust, following a request from the French authorities.
The primary platform of LockBit and other essential infrastructure that supported their criminal enterprise have been compromised as a result of the months-long operation, according to Europol.
34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK have all been shut down as a result of this.
More than 14,000 rogue accounts responsible for exfiltration or infrastructure have been found and referred to law enforcement for removal, and this infrastructure is now under their control.
According to Europol, LockBit members used those rogue accounts to host attack tools and software as well as to store company data.
embedded content
As part of Cronos Operation, law enforcement also retrieved over 1,000 decryption keys from the seized LockBit servers. Using these decryption keys, the Japanese Police, the NCA, and the Federal Bureau of Investigation (FBI) developed a LockBit 3.0 Black Ransomware decryption tool with Europol’s support.
The” No More Ransom” portal now offers access to this free decryptor. A response was not immediately available when BleepingComputer contacted Europol to find out if the decryptor only aids LockBit victims after a specific date.
How much cryptocurrency was kept in the 200 seized wallets is currently unknown. However, similar to what the FBI previously did for Colonial Pipeline and other healthcare organizations, victims who paid ransom demands may now be able to recoup some of their payments.
According to Europol and nbsp, they have gathered” a vast amount” of information about the LockBit operation, which will be applied to ongoing operations aimed at the group’s leaders, developers, and affiliates.
Seizing of LockBit infrastructure
The NCA has taken control of the gang’s dark web leak sites and LockBit servers, which are used to host data stolen from victims ‘ networks during double extortion attacks.
Dark websites for LockBit were deactivated yesterday, displaying seizure banners that revealed the disruption brought on by ongoing international law enforcement action.
The police have also seized the affiliate panel for the ransomware group, and after affiliates log in, they will see a message informing them that their information—chats, LockBit source code, etc. —has also been taken.
The message reads,” We have source code, information about the victims you attacked, money extorted, data stolen, chat history, and much, much more.”
“We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the U.K., the FBI, Europol, and the Cronos Operation Law Enforcement Task Force.”
Describe LockBit.
Since its inception in September 2019, the LockBit ransomware as-a-service ( RaaS ) operation has been linked to or has claimed attacks on numerous high-profile companies around the world, including Boeing, the UK Royal Mail, a major continental automaker, and the Italian Internal Revenue Service.
After as many as 1,700 attacks since 2020, LockBit is estimated to have extorted at least$ 91 million from U.S. organizations, according to a joint advisory published in June.
The gang had over 2,000 victims as of today, according to the U.S. Department of Justice, and they had amassed more than$ 120 million in ransom payments after making hundreds of millions of dollars in demands.
Customers were most recently alerted to a data breach by Bank of America after third-party service provider Infosys McCamish Systems ( IMS ) was allegedly attacked by LockBit.
Servers and dark websites used by ALPHV ( BlackCat ) and Hive ransomware have also been seized in recent years as a result of international law enforcement operations.