Major ransomware site taken down in international law enforcement sting

20 February 2024, 13:14

LockBit
LockBit. Picture: PA

Five Russians were charged by US authorities in relation to LockBit, which was used in a quarter of ransomware attacks last year.

A site used to sell the hacking software behind thousands of ransomware attacks has been taken down in an international law enforcement sting.

LockBit was used in a quarter of ransomware attacks last year and was described as the most prolific group of its kind in the past four years.

Thousands of victims were targeted internationally and more than 200 in the UK, including the Royal Mail and public service bodies including hospitals.

Another attack in September saw sensitive military information leaked when private security firm Zaun was targeted.

Director General of the National Crime Agency Graeme Biggar said: “We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

The gang behind the software used marketing tactics including paying 1,000 US dollars to customers who had the logo tattooed on themselves and payouts for anyone who spotted errors in their code.

US authorities have charged five Russians in relation to LockBit, and two other suspects have been arrested in Poland and Ukraine.

Around 200 cryptocurrency accounts have also been frozen by investigators.

The site had been used by LockBit to sell services, including ransomware, to hackers which would allow them to breach people’s computer networks.

Victims were locked out of their systems and asked to pay a ransom in order to get access to their data, causing billions in losses for the payments and the cost of recovering information.

NCA investigators found that the gang behind the ransomware attacks did not always delete data when victims paid ransoms.

Lockbit taken down
Experts have said the action against LockBit is a significant short term blow, but that the group may rebuild its operation (Tim Goode/PA)

It said it has found more than 1,000 decryption keys held by hackers and will be contacting UK-based victims to help them recover encrypted data.

Two of the suspects charged by the US are in custody, Mikhail Vasiliev, who is being held in Canada awaiting extradition, and Ruslan Magomedovich Astamirov, who is in the US.

The remaining three, Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev, are at large.

The NCA said the infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has also been seized.

Hundreds of people are thought to have been involved in running the group.

Mr Biggar said: “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.”

Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.

He said: “LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.

“That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.

“Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.

“They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.”

Experts said that while LockBit may rebuild its network, the law enforcement action is a major setback.

Chris Morgan, senior cyber threat intelligence analyst from cybersecurity firm ReliaQuest said: “The operation carried out by law enforcement against Lockbit could potentially be the most significant action taken against ransomware so far.

“The success of the law enforcement operation will be dictated over whether Lockbit are able to recover their operations.

“ReliaQuest has observed Lockbit as the most active and prolific ransomware groups for several years, who will likely have significant resources and backup infrastructure capable of recovering operations and showing resilience.

“The operation will however likely deal a significant short term blow to the group’s operations, sowing distrust throughout the groups affiliates over potential law enforcement compromise.”

Chester Wisniewski, director, global field CTO at cybersecurity firm Sophos said: “Lockbit rose to be the most prolific ransomware group since Conti departed the scene in mid-2022.

“The frequency of their attacks, combined with having no limits to what type of infrastructure they cripple has also made them the most destructive in recent years.

“Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement.

“We shouldn’t celebrate too soon though.

“Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.”

By Press Association

More Technology News

See more More Technology News

A person holds an iphone showing the app for Google chrome search engine

Apple and Google ‘should face investigation over mobile browser duopoly’

A Google icon on a smartphone

Firms can use AI to help offset Budget tax hikes, says Google UK boss

Icons of social media apps, including Facebook, Instagram, YouTube and WhatsApp, are displayed on a mobile phone screen

Growing social media app vows to shake up ‘toxic’ status quo

Will Guyatt questions who is responsible for the safety of children online

Are Zuckerberg and Musk responsible for looking after my kids online?

Social media apps on a phone

U16s social media ban punishes children for tech firm failures, charities say

Google shown on a smartphone

US Government proposes forcing Google to sell Chrome to break-up tech empire

The logo for Google's Gemini AI assistant

Google’s Gemini AI gets dedicated iPhone app in the UK for the first time

Facebook stock

EU fines Meta £660m for competition rule breaches over Facebook Marketplace

A phone taking a photo of a phone mast

Government pledges more digital inclusion as rural Wales gets phone mast boost

Social media apps displayed on a mobile phone screen

What is Bluesky and why are people leaving X to sign up?

Someone types at a keyboard

Cyber security chief warns Black Friday shoppers to be alert to scams

MPs

Ministers pressed on excluding Chinese firms from UK’s genomics sector

Child with mobile phone stock

Specially designed smartphone for children launches in the UK

Roblox on a laptop

Children’s gaming platform Roblox makes ‘major update’ to parental controls

An offshore wind farm

Government launches competition to find AI solutions to boost UK clean energy

A Google logo on the screen of a mobile phone

Google partnership with Anthropic AI cleared by competition watchdog