A sweeping regulation enforcement operation led by the U.Okay.’s Nationwide Crime Company this week took down LockBit, the infamous Russia-linked ransomware gang that has for years wreaked havoc on companies, hospitals, and governments all over the world.
The motion noticed LockBit’s leak website downed, its servers seized, a number of arrests made, and U.S. authorities sanctions utilized in what is without doubt one of the most vital operations taken towards a ransomware group thus far.
It’s additionally, undoubtedly, one of many extra novel takedowns we’ve seen, with U.Okay. authorities saying the seizure of LockBit’s infrastructure on the group’s personal leak website, now residence to a bunch of particulars concerning the gang’s interior workings — with the promise of extra to come back.
Right here’s what we’ve discovered to date.
LockBit didn’t delete victims’ information — even when they paid
It’s lengthy been suspected that paying a hacker’s ransom demand is of venture and never a assure that stolen information will likely be deleted. Some company victims have even stated as such, saying they “can not assure” that their information could be erased.
The LockBit takedown has given us affirmation that that is completely the case. The NCA revealed that among the information discovered on LockBit’s seized methods belonged to victims who had paid a ransom to the menace actors, “evidencing that even when a ransom is paid, it doesn’t assure that information will likely be deleted, regardless of what the criminals have promised,” the NCA stated in a press release.
Even ransomware gangs fail to patch vulnerabilities
Sure, even ransomware gangs are sluggish to patch software program bugs. In line with malware analysis group vx-underground citing LockBitSupp, the alleged chief of the LockBit operation, regulation enforcement hacked into the ransomware operation’s servers utilizing a identified vulnerability within the fashionable net coding language PHP.
The vulnerability used to compromise its servers is tracked as CVE-2023-3824, a distant execution flaw patched in August 2023, giving LockBit months to repair the bug.
“FBI f****d up servers through PHP, backup servers with out PHP can’t be touched,” reads LockBitSupp’s translated message to vx-underground, initially written in Russian.
Ransomware takedowns take a very long time
The LockBit takedown, identified formally as “Operation Cronos,” was years within the making, in response to European regulation enforcement company Europol. The company revealed Tuesday that its investigation into the infamous ransomware gang started in April 2022, some two years in the past on the request of French authorities
Since then, Europol stated that its European Cybercrime Middle, or EC3, organized greater than two-dozen operational conferences and 4 technical one-week sprints to develop the investigative leads forward of the ultimate section of the investigation: this week’s takedown.
LockBit has hacked greater than 2,000 organizations
It has lengthy been identified that LockBit, which first entered the aggressive cybercrime scene in 2019, is one among, if not essentially the most prolific ransomware gangs.
Tuesday’s operation all however confirms that, and now the U.S. Justice Division has numbers to again it up. In line with the DOJ, LockBit has claimed over 2,000 victims within the U.S. and worldwide, and acquired greater than $120 million in ransom funds.
Sanctions focusing on a key LockBit member could have an effect on different ransomware
One of many high LockBit members indicted and sanctioned on Tuesday is a Russian nationwide, Ivan Gennadievich Kondratiev, who U.S. officers allege is concerned in different ransomware gangs.
In line with the U.S. Treasury, Kondratiev additionally has ties to REvil, RansomEXX and Avaddon. Whereas RansomEXX and Avaddon are lesser-known variants, REvil was one other Russia-based ransomware variant that gained notoriety for high-profile hacks, making hundreds of thousands in ransom funds by hacking U.S. community monitoring large Kaseya.
Kondratiev was additionally named a frontrunner of a newly disclosed LockBit sub-group known as the “Nationwide Hazard Society.” Little else is understood about this LockBit affiliate but, however the NCA promised to disclose extra within the coming days.
The sanctions successfully ban U.S.-based victims of Kondratiev’s ransomware from paying him the ransoms he calls for. Given Kondratiev has palms in at the very least 5 totally different ransomware gangs, the sanctions are prone to make his life 5 occasions harder.
The British have a humorousness
Some folks (i.e. me, a British individual) would argue that we knew this already, however the LockBit sting has proven us that the U.Okay. authorities have a humorousness.
Not solely has the NCA made a mockery of LockBit by mimicking the gang’s darkish net leak website for its personal LockBit-related revelations. We discovered varied Easter eggs hidden on the now-seized LockBit website. Our favourite is the assorted file names for the location’s photographs, which embrace “oh pricey.png,” “doesnt_look_good.png” and “this_is_really_bad.png.”