An international coalition of law enforcement agencies in 11 countries announced Tuesday that it had taken control of computers and software at the heart of the world\u2019s most prolific ransomware group, giving victims hope that they won\u2019t be forced to make ransom payments to recover data stolen from their computer systems.<\/p>\n
The infrastructure seized from the LockBit ransomware gang included hundreds of electronic keys needed to recover the stolen data as well as the site on the dark web, where LockBit leaked data from victims who refused to pay ransoms in cryptocurrency, officials said.<\/p>\n
The law enforcement effort, dubbed Operation Cronos, was led by the United Kingdom\u2019s National Crime Agency and included the FBI and other enforcement agencies. The coalition then used the group\u2019s site to mimic its previous operation and begin leaking information about LockBit, posting a countdown timer for files still to come, including one teasing forthcoming information about the anonymous frontman for the gang.<\/p>\n
\u201cIt\u2019s a thing of beauty. The NCA and FBI are trolling LockBit aggressively,\u201d said Don Smith, vice president at Secureworks, which had its analysis of the group republished by the authorities on the hackers\u2019 site.<\/p>\n
Criminals who hack into the internal networks of targeted organizations use ransomware to encrypt the data there and render it unusable. They demand money for the decryption key and sometimes not to publish data they have stolen. According to the Justice Department, LockBit malware has been used to extort more than $120 million in ransom payments from more than 2,000 victims.<\/p>\n
The first sign of the takeover appeared late Monday, when a notice appeared on LockBit\u2019s site that read: \u201cThis site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, \u2018Operation Cronos\u2019.\u201d<\/p>\n
U.K. and U.S. officials said they won control of 200 financial accounts holding an undisclosed amount of cryptocurrency, the programming source code used to encrypt data and sneak it out of corporate networks, and records of electronic chats with the LockBit affiliates who conducted the actual hacking. One accused participant was arrested in Ukraine and another in Poland, with both now in American custody, while an indictment was unsealed against two others who are presumed to be inside Russia.<\/p>\n
LockBit malware has been responsible for about a quarter of all ransomware attacks in the past two years, Secureworks estimated. LockBit is widely believed to be operated from Russia, though its ties to the Russian government, if any, are uncertain.<\/p>\n
In 2022, it was the most-deployed piece of ransomware in the world, according to the U.S. Cybersecurity and Infrastructure Security Agency.<\/p>\n
LockBit has published data stolen from aerospace giant Boeing and upset financial markets with an attack on the financial services division of a major Chinese bank, ICBC. The tool was also used to cripple Britain\u2019s mail service last year, disrupting international parcel exports for a week. It has hit numerous U.S. cities, school systems and counties, recently including Fulton County in Georgia, where former president Donald Trump faces charges related to his alleged efforts to overturn the 2020 election.<\/p>\n
Fulton County officials said Wednesday that some its services, including technology used in its justice system, remained disrupted more than two weeks after the attack \u2014 requiring that certain meetings take place in person rather than over the phone or other communications platforms.<\/p>\n
NCA Director General Graeme Biggar called LockBit the \u201cmost harmful cybercrime group\u201d in the world. \u201cThrough our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out,\u201d he said in a statement.<\/p>\n
Officials did not reveal how they succeeded in seizing LockBit\u2019s site, but one person close to the operation said it may have taken as long as a year. With ransomware groups hitting critical infrastructure and extorting as much as a $1 billion annually, many acting from within Russia\u2019s borders, tech-enabled takedowns have become a top priority, sometimes getting assistance from intelligence and military agencies as well as law enforcement.<\/p>\n
Previous takedowns and arrests have broken some crime rings or dented them. But because some of the top groups operate in a decentralized fashion, essentially offering their services for hire to cybercriminals seeking to penetrate an organization, other ransomware groups were able to offer similar services. In this case, the investigators are threatening the hackers themselves, known as affiliates, warning them on the seized site that they may be in touch and inviting them to come forward first.<\/p>\n
LockBit became the top ransomware operation by giving its affiliates, who keep about 80 percent of the ransoms, unusual latitude to negotiate with their targets and publish the pilfered data themselves. Other ransomware gangs handle such duties on behalf of the hackers.<\/p>\n
That deeper collaboration between LockBit and the affiliates may have helped investigators penetrate the network. The coalition said it also had gained control of 28 servers belonging to affiliates.<\/p>\n
The NCA reveals details of an international disruption campaign targeting the world\u2019s most harmful cyber crime group, Lockbit.<\/p>\n
Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com\/m00VFWkR9Z<\/p>\n
\u2014 National Crime Agency (NCA) (@NCA_UK) February 20, 2024<\/p>\n<\/div>\n
\u201cLockBit is one of the most significant ransomware threats, and many would argue it to be the most prolific group today,\u201d Jason Nurse, a cybersecurity expert at the University of Kent in England, said in an email. \u201cThese groups are well-funded, operate like a business and are extremely careful in their approach,\u201d he added.<\/p>\n
In 2022, LockBit issued an apology after it said its ransomware was used to target a children\u2019s hospital. It offered the hospital a code to unlock its systems \u2014 and reportedly issued policy guidance that banned criminals from using its software in attacks \u201cwhere damage to the files could lead to death.\u201d<\/p>\n
But the loose affiliate model means that every few months, someone installed LockBit on a sensitive target anyway, researchers said.<\/p>\n
British law enforcement agencies have previously warned against focusing too much on tackling individual variants of ransomware. Disrupting individual ransomware variants \u201cis akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed,\u201d the NCA said.<\/p>\n
But U.K. and U.S. officials hope that LockBit and its affiliates will disband their operations, at least temporarily, out of concern that the authorities will be able to identify them and arrest at least those affiliates who are outside Russia and China.<\/p>\n<\/p>\n
An international coalition of law enforcement agencies in 11 countries announced Tuesday that it had taken control of computers and software at the heart of the world\u2019s most prolific ransomware group, giving victims hope that they won\u2019t be forced to make ransom payments to recover data stolen from their computer systems. The infrastructure seized from […]<\/p>\n","protected":false},"author":0,"featured_media":1264,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-politics"],"_links":{"self":[{"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/posts\/1263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/comments?post=1263"}],"version-history":[{"count":0,"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/posts\/1263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/media\/1264"}],"wp:attachment":[{"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/media?parent=1263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/categories?post=1263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/businesstriumphs.com\/index.php\/wp-json\/wp\/v2\/tags?post=1263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}