Police officers arrested two operators of the LockBit ransomware gang in Poland and Ukraine on Tuesday, created a free decryption tool to recover encrypted files and seized more than 200 encrypted wallets after “hacking” the cyber criminals’ servers. in an international repression operation.
French and US judicial authorities issued three international arrest warrants and opened five charges against other LockBit operators. Two of the charges were opened by the US Department of Justice against two Russian citizens for their involvement in cyberattacks. Two other hackers were also sanctioned by the US Treasury Department’s Office of Foreign Assets Control.
The global crackdown on LockBit was coordinated by Operation Cronos, a task force led by the UK’s National Crime Agency (NCA) and coordinated in Europe by Europol and Eurojust. The investigation began in April 2022 at Eurojust, following a request from French authorities.
The operation, which lasted months, resulted in the interruption of the LockBit platform and other infrastructure that allowed criminal actions. According to Europol, 34 servers were taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. “This infrastructure is now under control of the authorities and more than 14 thousand fraudulent accounts responsible for exfiltration or infrastructure have been identified and referred for removal by the authorities,” Europol said.
As part of Operation Cronos, law enforcement authorities also recovered more than a thousand decryption keys from the seized LockBit servers. Using these decryption keys, the Japanese Police, NCA and FBI developed a decryption tool with support from Europol. This free decryptor is available on the No More Ransom portal under the name LockBit 3.0 Black Ransomware.
Europol said it has collected a large amount of data on the LockBit operation, which will be used in ongoing operations targeting the group’s leaders, as well as its developers and affiliates. As part of this joint action, the NCA took control of LockBit servers used to host data stolen from victims’ networks in double extortion attacks and the gang’s dark web leak sites.
The LockBit websites were taken offline on Monday the 19th and began displaying banners about the seizure that stated that the interruption was the result of an ongoing international law enforcement action.
The group’s affiliate panel was also seized by police, now showing a message, shortly after logging in, stating that information, LockBit source code, chats and victim information had also been seized. “We have the source code, details of the victims you attacked, the amount of money extorted, the data stolen, chats and much, much more,” the message says. “We can contact you soon. Have a good day. Kind regards, UK National Crime Agency, FBI, Europol and Operation Cronos Law Enforcement Task Force.”
The LockBit ransomware-as-a-service (RaaS) operation emerged in September 2019 and has since been linked to or claimed responsibility for attacks on many high-profile organizations around the world, including Boeing, the UK’s Royal Mail, the giant Continental automotive and the Italian Federal Revenue. The US Department of Justice said the gang had more than 2,000 victims and collected more than $120 million in ransom payments following demands totaling hundreds of millions of dollars.
To access the advisory on the US Department of Justice’s international law enforcement operations that took down LockBit’s infrastructure click here.
Sources: CisoAdvisor, US Department of Justice
