Operation Cronos: UK seizes control of LockBit infrastructure

[Teacher]

Confiscation of websites and comments from the leader of the LockBitSupp group.

International law enforcement agencies in 11 countries took control of the LockBit group's website during Operation Cronos.

As a result of Operation. onion, the LockBit data leak site is now under the control of the UK's National Crime Agency (NCA). The site now displays a banner about the capture by law enforcement agencies. The police promise to provide more information about the operation.

Europol banner on the LockBit[/CENTER]

VX-underground reports that law enforcement agencies also eliminated the LockBit partner panel. According to a post on the site, LockBit's source code, chats, and victim information have been removed.

Message about capturing the LockBit Partner dashboard

Operation Cronos brought together law enforcement agencies from 11 countries, including Australia, Canada, Sweden, Finland, Germany, the Netherlands, Japan, France, Switzerland, the United Kingdom and the United States, under the auspices of Europol.

Although the LockBit leak site is no longer available and shows a hijacking message or connection error, some of the group's other darknet websites (including sites for posting data and sending gang private messages) are still operational. BleepingComputer also confirmed that buyout negotiation sites are unavailable, but do not display a withdrawal message.

The status of the Tox account of the representative of the "LockBitSupp" group now shows a message stating that the FBI hacked the ransomware servers using a PHP exploit.

"The FBI seized servers via PHP, backup servers without PHP cannot be touched," LockBitSupp said in a statement.

It is worth noting that in March 2023, the LockBit grouping infrastructure went offline, causing a stir in the community. Some industry experts have linked the outage to a takeover of the FBI group's servers, as was the case with the Hive group in January.

 

[Teacher]

The U.S. indictment charges two Russian citizens with assaults on multiple victims from the U.S. and other countries; the FBI seizes infrastructure; and the Treasury Department takes additional action against LockBit.

The Department of Justice joined the United Kingdom and international law enforcement partners in London today to announce the crackdown on the LockBit ransomware group, one of the most active ransomware groups in the world, which targeted more than 2,000 victims, received more than $ 120 million in ransom payments, and made demands totaling hundreds of millions of dollars..

The cyber division of the UK's National Crime Agency (NCA), working in collaboration with the Department of Justice, the Federal Bureau of Investigation (FBI) and other international law enforcement partners, disrupted LockBit by hijacking numerous publicly accessible websites used by LockBit to connect to the organization's infrastructure and seizing control of the servers. This will disrupt the ability of LockBit participants to attack and encrypt networks, as well as extort threats to publish stolen data from victims.

"Over the years, LockBit employees have carried out similar attacks again and again throughout the United States and around the world. Today, law enforcement agencies in the United States and Great Britain are taking the keys to their criminal activities,” said Attorney General Merrick B. Garland. “And we're going further — we've also obtained keys to the hijacked LockBit infrastructure to help victims decrypt their hijacked systems and restore access to their data. LockBit is not the first ransomware that has been defused by the Justice Department and its international partners. It won't be the last one.”

In addition, the NCA, in collaboration with the FBI and international law enforcement partners, has developed decryption capabilities that could allow hundreds of victims around the world to recover systems encrypted with the LockBit ransomware. Starting today, victims targeted by this malware are advised to contact the FBI at https://lockbitvictims.ic3.gov/, so that law enforcement agencies can determine whether vulnerable systems can be successfully decrypted.

”Today's actions are yet another down payment as part of our commitment to continue dismantling the ecosystem that fuels cybercrime, prioritizing disruption and putting victims first," Deputy Attorney General Lisa Monaco said in a statement. "Using our full powers and working alongside partners in the United Kingdom and around the world, we have destroyed the online backbone of the LockBit group, one of the most prolific ransomware gangs in the world. But this is not the end of our work: Together with our partners, we are changing the situation with LockBit-we provide decryption keys, unlock victims ' data, and target LockBit's criminal affiliates around the world.”

The Justice Department also released an indictment obtained in the District of New Jersey that indicts Russian citizens Arthur Sungatov and Ivan Kondratyev, also known as Bassterlord, for using LockBit against numerous victims across the United States, including businesses across the country in manufacturing and other industries, as well as victims around the world worldwide in the semiconductor and other industries. Additional criminal charges were filed today in the Northern District of California against Kondratiev related to his use of a ransomware program in 2020 against a victim located in California.

Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to shut down several U.S. servers used by LockBit members due to the LockBit outage. As indicated in these search warrants, LockBit administrators used these servers to host the so-called “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victims ' data.

”Today, the FBI and our partners successfully disrupted the LockBit criminal ecosystem, which is one of the most widespread types of ransomware around the world," said FBI Director Christopher A. Ray. “Over years of groundbreaking investigative work, the FBI and our partners have significantly reduced the ability of hackers responsible for launching devastating ransomware attacks on critical infrastructure and other public and private organizations around the world. This operation demonstrates both our capabilities and our commitment to protecting our nation's cybersecurity and national security from any attacker who seeks to affect our way of life. We will continue to work with our domestic and international allies to identify, combat and contain cyber threats and bring those responsible to justice."

According to an indictment obtained in the District of New Jersey, since at least January 2021, Sungatov allegedly used the LockBit ransomware program against victim corporations and took steps to fund additional LockBit attacks against other victims. Sungatov allegedly used the LockBit ransomware against manufacturing, logistics, insurance and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida and New Mexico. In addition, as early as August 2021, Kondratyev allegedly began using LockBit against several victims in a similar way. Kondratyev, who operates under the online pseudonym "Bassterlord” allegedly used LockBit against municipal and private facilities in Oregon, Puerto Rico, and New York, as well as additional targets located in Singapore, Taiwan, and Lebanon. It is alleged that both Sungatov and Kondratyev participated in the LockBit global conspiracy, which also allegedly included Russian citizens Mikhail Pavlovich Matveev and Mikhail Vasiliev, as well as other LockBit participants, in order to develop and implement the LockBit ransomware program and extort payments from victim corporations.

” Today's indictment, released as part of a global coordinated action against the world's most active ransomware group, brings to five the total number of LockBit members indicted by my office and our partners in the FBI and the Computer Crimes and Intellectual Property Division for their crimes," said New Jersey District Attorney Philip R. Sellinger. “And even with today's LockBit outage, we won't stop there. Our investigation will continue, and we remain determined to identify and bring charges against all LockBit members - from its developers and administrators to its affiliates. We will draw attention to them as wanted criminals. They will no longer hide in the shadows.”

Today, when the indictment was made public, a total of five LockBit members were indicted for their involvement in the LockBit conspiracy. In May 2023, two indictments were released in Washington, D.C., and the District of New Jersey, accusing Matveev of using various ransomware programs, including LockBit, to attack numerous victims across the United States, including the Washington, D.C. Metropolitan Police Department. Currently, Matveev faces a reward of up to $ 10 million under the US State Department's Program to Reward Transnational Organized Crime, information is received through the FBI tip website at https://tips.fbi.gov. In November 2022, a criminal case was filed in the District of New Jersey, in which Vasiliev was charged in connection with his participation in the global LockBit ransomware campaign. Vasiliev, who holds dual Russian-Canadian citizenship, is currently in Canadian custody awaiting extradition to the United States. In June 2023, Russian citizen Ruslan Magomedovich Astamirov was indicted on criminal charges in the District of New Jersey for his involvement in the LockBit conspiracy, including using LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

Kondratyev, according to the indictment obtained in the Northern District of California and released today, is also charged with three criminal counts related to his use of the Sodinokibi ransomware program, also known as REvil, to encrypt data, extract information about the victim, and extort ransom from the victim corporation based in Alameda County, California.

The LockBit ransomware version first appeared around January 2020 and, having started operating today, has become one of the most active and destructive versions in the world. LockBit members have carried out attacks against more than 2,000 victims in the United States and around the world, making ransom demands worth at least hundreds of millions of US dollars and receiving more than $ 120 million in ransom payments. The LockBit ransomware program, like other major ransomware variants, operates on a ransomware-as-a-service (RaaS) model, in which administrators, also called developers, develop the ransomware, hire other contributors, called affiliates, to deploy it, and maintain an online software dashboard. a platform called the "control panel" to provide affiliates with the tools they need to deploy LockBit. Affiliates, in turn, identify vulnerable computer systems and gain access to them illegally, sometimes by hacking themselves or in other cases by acquiring stolen access credentials from others. Using a developer-managed control panel, affiliates then inject LockBit into the victim's computer system, allowing them to encrypt and steal ransom-worthy data to decrypt or avoid publication on a public website maintained by LockBit developers, often referred to as a data leak site.

The local FBI office in Newark is investigating a version of the LockBit ransomware.

Assistant U.S. Attorneys Andrew M. Trombley, David E. Malagold, and Vinay Limbachia of the District of New Jersey, and Trial attorneys Jessica K. Peck, Debra Ireland, and Jorge Gonzalez of the Criminal Division's Computer Crimes and Intellectual Property Division filed charges against Sungatov and Kondratyev, which were released today in the District of New Jersey. The Prosecutor for Cybercrime Relations of the Ministry of Justice at Eurojust and the Office for International Affairs also provided significant assistance.

The glitch announced today was the result of a joint operation by the FBI; the NCA's Southwest Regional Organized Crime Unit; France's National Cyberspace Command; Germany's Schleswig-Holstein Landskriminal Office and the German Bundeskriminal Office; the Swiss Federal Police Department, the Zurich Canton Prosecutor's Office and the Zurich Cantonal Police; the Japanese National Policy Agency; the Australian Federal Police; the Swiss Federal Police Department; the Swiss Federal national security of Sweden. The Netherlands Police; the Royal Canadian Mounted Police; the Netherlands East Brabant Regional Policy Office; the Finnish Police; Europol; and Eurojust.

The Phoenix Field office of the FBI and Assistant U.S. Attorney Helen L. Gilbert are investigating and opening a criminal case against Kondratiev in the Northern District of California.

In addition, the U.S. Treasury's Office of Foreign Assets Control announced today that it is appointing Sungatov and Kondratiev for their roles in organizing the cyberattacks.

As mentioned above, LockBit victims should contact the FBI at https://lockbitvictims.ic3.gov for more information. For more information about protecting your networks from the LockBit ransomware, visit StopRansomware.gov. These include the Agency's Cybersecurity and Infrastructure Security recommendations AA23-325A, AA23-165A, and AA23-075A.

Follow the Attorney General's comments at www.youtube.com/watch?v=-jKykhKKMZw.

 

[Teacher]

In Canada, one of the administrators of the well-known LockBit group, specializing in the distribution of extortionate software, was sentenced.

Mikhail Vasiliev, 34, who holds Canadian and Russian citizenship, pleaded guilty to eight charges and received a nearly four-year prison sentence. Meanwhile, Vasiliev was detained about a year and a half ago, in October 2022, in the Canadian city of Bradford. The arrest took place as part of an international operation involving the authorities of Europe, the United States and Canada.

Judge Michelle Furst described Vasilyev as a "cyberterrorist" and noted that his actions were motivated by personal financial interests. In addition to the prison term, the man will also have to pay $860,000 in compensation to the victims.

Vasiliev pleaded guilty to charges related to cyber extortion, illegal possession of weapons and other crimes. Its activities caused serious damage to three Canadian companies in 2021 and 2022. In addition, the criminal was involved in LockBit's activities during the COVID-19 pandemic.

It is also reported that Vasiliev agreed to be extradited to the United States, where charges are brought against him, including conspiracy to intentionally damage protected computers and transfer ransom demands. If convicted in the United States, he faces up to five years in prison.

Vasiliev became one of two named LockBit members in custody. Ruslan Astamirov, accused of using LockBit against victims in Florida, Kenya, France and Japan, is also awaiting trial in the United States.

In general, recent months have been marked by an international struggle with LockBit. So, in February, the UK authorities managed to dismantle the group's infrastructure and identify many affiliated individuals. Two members of the group were also arrested in Ukraine and Poland, but their identities have not yet been disclosed.

Despite the attempts of the authorities to stop the activities of the group, the leadership of LockBit scoffs at the efforts of the special services and claims that it only gets stronger with each blow of law enforcement officers.

LockBit is still considered one of the most active ransomware distribution operations, with literally thousands of government agencies, businesses, and organizations around the world working for the group.

The group started operating in 2019, offering its software as a service. According to Recorded Future, these ransomware attacks have already accounted for almost 2,300 attacks, and the total amount of ransomware has exceeded $ 120 million.

• Source: https://barrie.ctvnews.ca/convicted...tenced-for-global-ransomware-scheme-1.6805081

 

[Father]

Despite the Operation Cronos launched at the beginning of the year by the special services of 11 countries against the northern infrastructure, LockBit was able to regroup and resume the operation of its RaaS.

But, apparently, not for long, because the initiators of the operation are taking new steps, trying to strangle the gang that has already become a legend in the field of ransomware.

The security forces reactivated the Tor site seized during Operation Cronos, posting a number of announcements on it, including promising to reveal the identity of LockBitSupps and other gang members by May 7.

Having studied the loot from 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom, the special services, as expected, also reached out to some of the LockBit operators, whose identities will also be released.

However, according to researchers from VX-underground, the cyber underground does not agree with the statements of their abusers, not understanding why all this show is being staged.

"I don't understand why they need this little show. They are clearly upset that we are continuing to work," LockBitSupp said.

By the way, at one time, Mickey Bresman, CEO of AD Semperis, already suggested that Netflix make a series based on the events around LockBit. And perhaps it would have been a good success, as in the case of Narcos.

But, so far, the LockBit story continues and is unlikely to end after the leaks announced by the special services, it will rather become more dynamic and resonant.

In any case, according to LockBit, it intends to continue working, despite any pressure.

 

[Father]

The head of the hacker group LockBit is a Russian citizen Dmitry Khoroshev, hiding under the nickname LockBitSupp. This was stated in the US Department of Justice, publishing a photo of a Voronezh resident, against whom sanctions have been imposed since today. Khoroshev also faces formal charges on 26 counts.

"The United States and its partners around the world are determined to disrupt the ransomware ecosystem, including by exposing the identities of those who carry out ransomware attacks against the United States," said Brian Nelson, Undersecretary of the Treasury for Counterterrorism.

In addition, the US State Department announced a reward of up to $ 10 million for information that will identify or determine the location of any of the high-ranking members of LockBit. Half as much, 5 million, will be received by informants whose information will lead to the arrest or conviction in any country of any person involved in the distribution of the LockBit ransomware program.

"Khoroshev, as a LockBit developer, usually received 20 percent of every ransom received from LockBit victims. The partner responsible for the attack received the remaining 80 percent. Thus, Khoroshev received at least $ 100 million in payments in digital currency, " the Ministry of Justice said in a statement.

As noted in the National Crime Agency of Great Britain, data obtained from the internal systems of LockBit indicate a serious scale of ransomware activity. In the period from June 2022 to February 2024, more than 7,000 attacks were organized using their malware. The top 5 affected countries are the United States, Great Britain, France, Germany and China. In particular, more than 100 hospitals and medical corporations were attacked. At the same time, at least 2,110 victims were forced to enter into negotiations with cybercriminals.

• Source: https://home.treasury.gov/news/press-releases/jy2326

• Source: https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned

KHOROSHEV, Dmitry Yuryevich (a.k.a. KHOROSHEV, Dmitrii Yuryevich; a.k.a. KHOROSHEV, Dmitriy Yurevich; a.k.a. YURIEVICH, Dmitry; a.k.a. "LOCKBITSUPP"), Russia; DOB 17 Apr 1993; POB Russian Federation; nationality Russia; citizen Russia; Email Address khoroshev1@icloud.com; alt. Email Address sitedev5@yandex.ru; Gender Male; Digital Currency Address - XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; Passport 2018278055 (Russia); alt. Passport 2006801524 (Russia); Tax ID No. 366110340670 (Russia) (individual) [CYBER2].

• Video:

• Source: https://www.justice.gov/opa/pr/us-c...l-developing-and-operating-lockbit-ransomware

• Source: https://www.justice.gov/opa/media/1350921/dl?inline

 

[Man]

Following a successful operation to destroy the infrastructure of the well-known hacker group LockBit in February of this year, dubbed "LockBit Leak Week," authorities continue to crack down on cybercriminals. Recently, four more suspects associated with the now-destroyed LockBit ransomware empire were arrested.

The first arrest was made by the French gendarmerie. The suspected developer of LockBit was detained while on vacation in a country that has an extradition agreement with France. The identity of the arrested person is not disclosed in accordance with French law. The country where the detention took place is also not indicated. However, a message appeared on the hacked LockBit blog that the detainee was facing serious charges in France in connection with the case against the organized crime group LockBit.

The arrest took place in August, the same month two more people were detained in the UK. One is suspected of having ties to an affiliate of LockBit, the other of money laundering. Britain's National Crime Agency (NCA) did not disclose the identities of the suspects, but said the data to identify them came from an analysis of information seized during a February operation against the group.

The Spanish Civil Guard also took part in the operation, arresting at Madrid airport a man believed to be a "key suspect." The detainee is believed to be the owner of a so-called "bulletproof" hosting service, one of the key elements of the infrastructure of cybercriminals like LockBit.

During Operation Kronos, a global law enforcement collaboration to dismantle the LockBit group, nine servers belonging to the criminals' infrastructure were accessed and seized. The obtained information is currently being analyzed to go after the main members and affiliates of the ransomware group.

While these arrests are a significant success in the fight against LockBit, they represent only a small part of the group's overall membership. Very few arrests have been made in the entire history of LockBit, and many suspects still remain at large.

Recent law enforcement successes include the arrest of a father and son in Ukraine suspected of links to LockBit, as well as the detention in the United States of 20-year-old Ruslan Magomedovich Astamirov, suspected of carrying out at least five attacks using LockBit ransomware.

One of the most significant discoveries of Operation Kronos was the confirmation of suspicions that LockBit retained stolen data even after the ransom was paid by the victims. An analysis of the source code of LockBit's tools showed that they were designed in such a way that data is never completely deleted.

In the control panel for LockBit affiliates, there was an option to delete the victim's data. However, the researchers found that the "Yes" button in the deletion confirmation window was actually sending a request to LockBit's headquarters, which could approve or deny the request to delete the victim's data.

Even if the request was approved, each file had to be deleted manually by the LockBit administrator by sequentially entering the ID of each folder. Roofing feltSuspect Dmitry Khoroshev had the ability to actually delete the data, and the affiliate could never know if the data was actually destroyed.

Moreover, the authorities claim that LockBit has not deleted any data since 2022. This discovery once again confirms that paying a ransom to cybercriminals does not guarantee the safety of data stolen during an attack.

Source

The Civil Guard reports that the detainee is a "key link" to Lockbit. He is a native of Belarus and a resident of Dubai. He was detained at Madrid airport, where he had a transfer. He was returning from Ibiza. It was back in May, but the operation was announced only now.