Investigators dismantle the Lockbit hacker group

An international team of investigating authorities said it had dismantled the Lockbit hacker group. This was first reported by British law enforcement agency the National Crime Agency (NCA) on Tuesday morning.

Lockbit is accused of extorting thousands of companies and organizations using malware, stealing their data, encrypting it, publishing it and selling the data if a ransom is not paid.

according to Europol Communications Two suspected members of the group have now been arrested, one in Poland and the other in Ukraine.

Furthermore, more than 200 cryptocurrency wallets were frozen and 14,000 “rogue profiles” were blocked. Lockbit members allegedly used the profiles, whose platforms were unknown, to store data stolen from the extorted organizations and to prepare and carry out attacks. He writes IT portal Bleeping Computer.

Europol communications also show that Lockbit also runs infrastructure in this country. 34 servers connected to the group were shut down, including systems in Germany, Switzerland, the Netherlands, Finland, Australia and the USA.

Investigators also published three international arrest warrants and five indictments against suspected Lockbit members. Two of the accused are known: Russians Artur Sunjato and Ivan Kondratiev, known by his nickname “Busterlord”.

“Operation Cronos” publishes the penalty order on the Lockbit website

Law enforcement agencies from ten Western countries worked together in the coup: Germany, Switzerland, France, Great Britain, the Netherlands, Sweden, USA, Canada, Australia and Japan. On the Swiss side, the Federal Police and the Zurich Cantonal Police participated in the investigation.

The investigation team called “Operation Cronos” also took control of the Lockbit dark web site. Reuters shared a screenshot of the dark web site that was taken over on Tuesday morning with the slogan: “Site now under police control.”

According to research by NZZ, investigators posted various reports on the Darknet website in the afternoon, including a punitive order for other Lockbit members and a recommendation for victims of cyber extortion to report to the police.

“We have been infiltrated by hackers,” Graeme Biggar, director of Britain’s National Crime Agency, said in a statement. Media information.

It seems that the authorities do not have full control

It remains unclear how complete the authorities' control over Lockbit is. Security researcher Kevin Beaumont wrote Tuesday morning in Posted on Mastodon, That three Lockbit services are still online. One service is still offering the stolen data for sale. NZZ was able to confirm this in its own research on the Darknet.

tracking mentioned British television station Sky News said a Lockbit representative said via an encrypted messaging app that the group had backup servers that had not been affected by law enforcement. The claim cannot be verified.

Additionally, a letter is circulated on X, presumably from Lockbit itself, in which the group addresses its business partners. It says, among other things, that Lockbit strives to “continuously improve its security mechanisms” and ensure the confidentiality of its data. The post comes from a profile belonging to a closed Telegram group. NZZ was unable to verify the truth of the message.

The data can now be decrypted

Lockbit is one of the most important hacking groups in the world. According to the US Department of Justice They were used in more than 2,000 attacks to extort $120 million.

In 2022, Lockbit was the most widely used ransomware. Among his most prominent victims are: British Postal Service Royal Mail And the French Ministry of Justice.

There is now hope for malware victims. According to Europol, authorities have created a tool that victims can use to decrypt their data. This is via the website “No more ransom” reachable.

According to British authorities, Lockbit appeared on Russian-language forums in 2019, leading some analysts to believe the group originated in Russia. On its dark web website, it listed its headquarters as the Netherlands and emphasized that it was apolitical and was only interested in money. However, one of the gang members, a 20-year-old Russian, was arrested in mid-2023.

Lockbit created a veritable ecosystem around its malware: the group sold the software to so-called affiliates, that is, partners who used it to carry out actual attacks on companies and authorities. In successful attacks, affiliates paid a portion of the ransom to Lockbit, according to one of the sources Indictment From the United States of America, 20 percent. So we are talking about ransomware as a service, i.e. extortion software as a service.

It may now be conceivable that Lockbit is trying to rebuild its criminal enterprise. The authorities are aware of this too. “Our work doesn’t end here,” said NCA President Biggar. But now we know who the actors are and how they work.