Deanon, arrests and revelations: details of the operation against LockBit

[Teacher]

The authorities took a creative approach to disclosing information about actions against the group.

Law enforcement agencies dealt a powerful blow to cybercrime by neutralizing the infrastructure of LockBit, one of the most dangerous groups involved in the distribution of extortionate software. As part of Operation Cronos, the LockBit data leak site was taken under control, which was turned into a platform for exposing the actions of criminals.

Europol's summary of Operation Kronos

The site, which was previously used to publish victims ' data, now publishes information about the progress of the investigation. The UK authorities, represented by the National Crime Agency (NCA), coordinated the disclosure of information. The converted site has retained its original format, but now, instead of threats and ransom demands, each post is dedicated to new facts about the group's activities. One of the posts on the site promises to reveal the identity of the LockBit leader by the end of the week.

Police records on the LockBit leak

The key point is the arrest of two LockBit affiliates in Ukraine and Poland, which is a continuation of a series of arrests that began earlier in the United States and Canada. Those arrested are accused of developing and distributing the LockBit malware. Also, the US Department of Justice accused Artur Sungatov and Ivan Kondratiev of attacking targets in the United States using the LockBit ransomware program.

In addition to the arrests, more than 200 cryptocurrency accounts were frozen and decryption keys were seized for more than 1,000 cases of infection, which was a significant blow to LockBit's operations. Servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom that were used to distribute malware were also seized.

An important part of the operation was to gain control over the source code of the LockBit platform and collect intelligence about the group's activities. The collected data will allow law enforcement agencies not only to pursue members of the group, but also to help victims regain access to their data. To do this, decryption keys will be available on a special portal.

Captured LockBit Partner Portal

The NCA said that the work on countering LockBit will not end there. Law enforcement agencies will continue to track and prosecute members of LockBit and other cybercrime groups. The NCA also emphasizes that the authorities know who is behind LockBit's activities and how they operate, which will effectively counter attempts to restore the group's activities.

It is expected that more information about LockBit will be published during the week, including data on partners, infrastructure, and technical reports from leading information security companies. The revelations will be an important step in the fight against cybercrime, demonstrating the readiness and ability of the international community to counter threats in cyberspace.

 

[Teacher]

What is available at the moment:

1) Three press releases - from the Americans, the British and Europol: in fact, they implemented a decryptor based on merged keys (with the assistance of the Japanese police), promise to unlock everything, claim that they fucked the entire infrastructure (counted as many as 34 servers) - at least (from my understanding) - an affiliate panel, blog and chats, frozen money (apparently-we are talking about stock market shares-the figure is more than 200 shares), made two arrests (a Ukrainian in Poland and a Ukrainian in Vinnytsia).

2) To prove how deep they went on the infra-published internal screenshots of the panel (http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion/posts/lockbit-leaks.php), there are backend options.

3) We took a hard look at the Basster and its partner (apparently-greetings from Prodaft), opened the docks of indictments on them (https://storage.courtlistener.com/recap/gov.uscourts.cand.395683/gov.uscourts.cand.395683.1.0.pdf), added to the list of sanctions, said that infa about Basster (his deanon) is known since 2022, I was killed by the presence of gmails from both comrades: https://ofac.treasury.gov/recent-actions/20240220

I drew attention in the endorsement to the Basster episode, where it was emphasized that he received a ransom from the victim on Monero, I may be suspicious, but in connection with the episode on Finn Kivimyaki, I admit that technologies have appeared to effectively track monero (possibly with errors and linking to exchanges).

4) The descriptor has already been uploaded here: https://www.nomoreransom.org/en/decryption-tools.html

5) It was unpleasant to see screenshots of the ban of LB shares on CSU and the Exploit - I assure you that this is a coincidence, but they took advantage of the situation (which I was afraid of) and now they are apparently trying to sow confusion.

What was promised:
- Deanon Lockbitsappa (in two days);
- information on a group of affs (new deanons and sanctions are possible);
- information on StealBit (internal tool for data exfiltration);
- product report (without details, I suspect everything will be chewed up according to the Basster) and Trendmicro (according to the new LB descriptor);
- financial striptease on LB operations.

I didn't seem to miss anything important.

I suggest everyone stock up on popcorn, there will be more fucking fun in the public. Affam is advised to take security measures now.

• Source: a.k.a bratvacorp

 

[Teacher]

Law enforcement officers shared additional information about the Cronos operation, during which the infrastructure of the LockBit ransomware group was hacked. Authorities report the arrests of two LockBit participants in Poland and Ukraine, as well as the confiscation of more than 200 cryptocurrency wallets. In addition, a tool for decrypting and free recovery of files affected by LockBit attacks has been released.

Cronos Operation

Recall that the Cronos operation was announced earlier this week. As a result, many LockBit sites designed to "drain" data and negotiate with victims stopped working and came under the control of law enforcement agencies. However, the authorities did not immediately disclose the details of the operation and now also share information in a dosed manner, promising to publish new data gradually.

It is reported that the international operation to stop the activities of LockBit was led by the National Crime Agency of Great Britain (NCA), and law enforcement officers from 11 countries of the world were coordinated by Europol and Eurojust. The investigation began in April 2022, at the request of the French authorities.

"As a result of the operation, which lasted several months, the main LockBit platform and other critical infrastructure that supported the activities of this criminal organization were compromised," Europol reports. — During the operation, 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom."

According to representatives of Europol, the LockBit infrastructure is now under the control of the authorities. During the operation, more than 14,000 accounts associated with the theft of information or the group's infrastructure were identified, which were used by LockBit to host various tools and software used in attacks, as well as to store files stolen from companies. Now the data about these accounts has been transferred to law enforcement agencies.

"Some of the data in LockBit's systems belonged to victims who paid a ransom to the attackers. This suggests that even if the ransom is paid, it still does not guarantee that the data will actually be deleted, despite the promises of criminals, " the NCA notes.

It also became known that law enforcement officers extracted more than 1000 keys for data decryption from the captured LockBit servers. Using these keys, the Japanese police, NCA and FBI, with the support of Europol, created a tool to decrypt data affected by the LockBit 3.0 Black Ransomware attacks. This free decryptor is already available on the No More Ransom portal.

In addition, Europol claims that it was able to collect "a huge amount of data" about the work of LockBit, which will now be used in investigations related to the group's leaders, developers of malware and its operators.

Arrests and Cryptocurrency

So far, only two arrests are known: in Poland and Ukraine, where two LockBit members were arrested at the request of the French authorities, whose identities were not disclosed. In addition, French and American authorities issued three more international arrest warrants and published five indictments related to other members of the group.

"We have not arrested all those who are associated with LockBit (with the core of the group or its partners). This is a long-term process. Now we have collected a huge amount of information and will be approaching these people, especially if they are located in the available jurisdictions. But now they all know that we are watching them, looking for them, and they will constantly look over their shoulder, " Jean-Philippe Lecouffe, Europol's Deputy Executive Director for Operations, said during a press conference.

The US Department of Justice, in turn, filed charges in absentia against two Russian citizens, Artur Sungatov and Ivan Kondratyev (aka Bassterlord), for their involvement in the attacks on LockBit.

It is assumed that starting in January 2021, Sungatov used the LockBit cryptographer to attack " manufacturing, logistics, insurance and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida and New Mexico."

Kondratyev, according to the Ministry of Justice, has been using LockBit since August 2021, targeting attacks "on municipal and private facilities in Oregon, Puerto Rico and New York, as well as other targets located in Singapore, Taiwan and Lebanon." Also in a separate indictment, Kondratiev is linked to using REvil malware in 2020 to extort money from an unnamed Alameda County company.

In turn, the US Treasury Department announced sanctions against Sungatov and Kondratiev.

Note that the site for "draining" data, which was usually used by hackers to publish information stolen from victim companies and blackmail, now "merges" data about LockBit itself.

Judging by the countdown timers, at the end of the week, law enforcement officers can reveal the identity of the group's administrator, known as Lockbitsupp (or offer a large reward for any information about him), and publish information about the hackers ' cryptocurrency assets. SecureWorks and TrendMicro reports on the work of LockBit and malware itself will also be published.

Among the data already published by law enforcement officers, we can highlight screenshots of the LockBit backend.

As for the seized cryptocurrency wallets of the group, it is not yet known how much money they contained. But it is likely that now some companies affected by LockBit attacks will be able to return the ransoms paid to hackers, as Colonial Pipeline managed to do in 2021.

• Source: https://home.treasury.gov/news/press-releases/jy2114

• Source: https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

• Source: https://www.nationalcrimeagency.gov...argeting-worlds-most-harmful-ransomware-group

• Source: https://www.nomoreransom.org/ru/decryption-tools.html#Lockbit30

• Source: https://www.europol.europa.eu/media...t-disrupt-worlds-biggest-ransomware-operation

-------

As we expected, the next revelations will concern LockBit operators, the number of which is almost two hundred, or more precisely, 193.

And even the list was rolled out.

On Friday, representatives of the security services promise to reveal the identity of LockbitSupp itself, at least so stated on the DLS captured by the security forces.

At the same time, LockBit claims that the real identity of the representative is unknown to them.

-----------

Under the direction of the Prosecutor General's Office prosecutors, investigators of the Main Investigation Department of the National Police of Ukraine, the Security Service of Ukraine, in compliance with international legal instructions of the competent authorities of the French Republic, stopped the functioning of a transnational criminal hacker group. It specialized in spreading the LockBit ransomware virus.

This international cyber operation was conducted in cooperation with the competent authorities of the French Republic, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the United Kingdom of Great Britain, the United States, Switzerland, Finland, Poland, New Zealand and Europol.

Based on the coordinated joint action plan on the territory of Ukraine, law enforcement agencies conducted a series of searches at the places of residence of persons involved in illegal activities. Mobile phones and computer equipment used by them were found.

Thanks to high-quality training and effective cooperation with international partners, all planned investigative actions were carried out, which confirmed the involvement of each of the defendants.

• Source: https://www.gp.gov.ua/ua/posts/prip...go-zlocinnogo-xakerskogo-ugrupovannya-lockbit