As part of a special task force known as Operation Cronos, the U.K. National Crime Agency (NCA) announced on Tuesday that it had obtained LockBit’s source code along with a wealth of information about its operations and those of its associates.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the agency added.

It was announced that two LockBit actors were arrested in Poland and Ukraine. Additionally, more than 200 bitcoin accounts associated with the gang have been frozen. In a separate development, two other Russian nationals accused of carrying out LockBit attacks had their indictments and sanctions unveiled in the United States.

You might be interested: CISA Alerts on GitLab Password Reset Exploit

The U.S. Department of Justice (DoJ) has charged Artur Sungatov and Ivan Gennadievich Kondratiev (also known as Bassterlord) with using LockBit against multiple victims in the United States. These victims include companies nationwide in the manufacturing and other industries, as well as victims worldwide in the semiconductor and other industries.

Kondratyev has also been charged with three criminal counts related to his use of Sodinokibi, also known as REvil, ransomware variation. This included encrypting data, stealing victim information, and demanding ransom payments from a corporate victim located in Alameda County, California.

The NCA labelled LockBit as the ‘world’s most harmful cybercrime group,’ prompting a worldwide disruption campaign against the company.

The agency claimed that as part of the takedown operations, it penetrated LockBit’s entire illegal operation and assumed control over its services. This included the public-facing leak site hosted on the dark web as well as the affiliate administration environment.

Furthermore, over 1,000 decryption keys have been recovered from the seized LockBit servers, which also encompassed 34 servers belonging to LockBit affiliates.

With its launch in late 2019, LockBit has operated as a ransomware-as-a-service (RaaS) business model, where affiliates license encryptors to execute attacks in exchange for a share of the ransom proceeds. The operation is controlled by a threat actor known as LockBitSupp.

The attackers employ a double extortion strategy, seizing sensitive data before encrypting it. Victims are coerced into paying to regain access to their files and prevent the exposure of their data.

Europol stated.”The ransomware group is also notorious for trying out novel ways to force their victims to pay ransoms” 

“Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates distributed denial-of-service (DDoS) attacks as an additional layer of pressure.”

Custom data exfiltration software called StealBit makes data theft easier. Authorities from three countries—the United States included—have since taken possession of the infrastructure utilized to arrange and transmit victim data.

According to Eurojust and the DoJ, LockBit assaults have impacted over 2,500 victims worldwide and generated over $120 million in criminal revenue. A decryption tool for free file recovery from ransomware is also accessible through No More Ransom.

“Through our close collaboration, we have hacked the hackers, taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” stated Graeme Biggar, Director General, NCA.

“LockBit is locked out as of today. We have undermined the capacity and, above all, the legitimacy of an organization that depended on anonymity and secrecy. Maybe LockBit wants to start over in their illegal business. All the same, we are aware of their identity and methods.”

The LockBit Saga: Events Schedule

• February 20, 2024

Broken LockBit – Law Enforcement Takes Darknet Domains

Darknet domains associated with the ransomware group LockBit, which has stolen over $91 million since 2019, were successfully seized by an international law enforcement operation involving 11 nations and Europol. The operation, dubbed Cronos, dealt a severe blow to LockBit’s operations by exploiting a PHP security vulnerability.

• Valentine’s Day, 2024

LockBit Hackers Arrested – Decryption Tool Released

The UK’s NCA halts LockBit ransomware, blocking over 200 cryptocurrency accounts, arresting two individuals in Poland and Ukraine, and indicting two Russians in the US. They obtained code and intelligence from LockBit, dismantled 34 servers, and acquired 1,000 decryption keys. LockBit, which impacted 2.5k victims globally and generated $120M, now offers tools for victims to decrypt their files.

• February 2, 2024

$15 Million Bounty for Information on LockBit Ransomware Leaders

The US State Department offers a $15 million reward for information leading to the capture of LockBit ransomware leaders, responsible for over 2,000 global attacks since 2020, causing $144 million in damages. Law authorities hacked LockBit, seized assets, and arrested affiliates. Despite setbacks, LockBit, renowned for its ransomware-as-a-service model, extensive affiliate network, and innovative strategies such as a bug bounty program, remains a significant cyber threat.

• February 25, 2024

‘Engages’ with Police – LockBit Ransomware Kingpin

Following a major global crackdown on the ransomware-as-a-service operation known as Operation Cronos, the individual or individuals behind the LockBit ransomware service, known as LockBitSupp, reportedly reached out to law enforcement.

• February 26, 2024

Return of LockBit – Requests Attacks on US Government

Shortly after law enforcement seized its servers, the LockBit ransomware gang resurfaced on the dark web with a new infrastructure. The group discussed the seizure of its websites and listed 12 additional victims on its data leak page, attributing it to a possible PHP vulnerability attack.

REFERENCE