Police arrested several LockBit participants and released a decryptor

Law enforcement officials have revealed further details about Operation Cronos, during which the infrastructure of the LockBit extortion group was compromised. The authorities have announced the arrest of two LockBit affiliates in Poland and Ukraine, along with the seizure of over 200 cryptocurrency wallets. Additionally, a decryption tool has been made available to assist in the free recovery of files affected by LockBit attacks.

Operation Cronos

It was previously announced earlier this week that Operation Cronos had been carried out. As a result, numerous LockBit sites designed for data leaks and negotiations with victims ceased operations and came under law enforcement control. However, the authorities initially withheld the details of the operation and are now gradually releasing information, promising to unveil new data in stages.

The international effort to curb LockBit’s activities was led by the UK’s National Crime Agency (NCA), with law enforcement from 11 countries around the world coordinated by Europol and Eurojust. The investigation commenced in April 2022, following a request from the French authorities.

Police arrested several LockBit participants and released a decryptor

“As a result of the operation, which lasted several months, LockBit’s main platform and other critical infrastructure supporting the activities of this criminal organization were compromised,” Europol reports. “During the operation, 34 servers were seized in the Netherlands, Germany, Finland, France, Switzerland, Australia, the USA, and the UK.”

According to Europol representatives, LockBit’s infrastructure is now under the control of the authorities. The operation uncovered over 14,000 accounts associated with the theft of information or the group’s infrastructure, which were used by LockBit to host various tools and software used in attacks, as well as to store files stolen from companies. These account details have now been handed over to law enforcement agencies.

“Some data in the LockBit systems belonged to victims who paid a ransom to the attackers. This indicates that even if a ransom is paid, it does not guarantee that the data will actually be deleted, despite the criminals’ promises,” notes the NCA.

It was also revealed that law enforcement officers extracted over 1,000 keys for decrypting data from the seized LockBit servers. Using these keys, the Japanese police, NCA, and FBI, with support from Europol, created a tool for decrypting data affected by LockBit 3.0 Black Ransomware attacks. This free decryptor is now available on the No More Ransom portal.

Furthermore, Europol claims to have collected “a huge amount of data” about LockBit’s operations, which will now be used in investigations related to the group’s leaders, malware developers, and operators.

Arrests and Cryptocurrency

So far, only two arrests have been reported: in Poland and Ukraine, where two LockBit affiliates were detained at the request of French authorities, with their identities remaining undisclosed. Additionally, French and American authorities have issued three more international arrest warrants and published five indictments related to other members of the group.

“We haven’t arrested everyone associated with LockBit (either the core group or its partners). This is a long-term process. We have now gathered a vast amount of information and will be closing in on these individuals, especially if they are within jurisdictions accessible to us. But now they all know that we are monitoring them, searching for them, and they will be constantly looking over their shoulder,” stated Jean-Philippe Lecouffe, Europol’s Deputy Executive Director for Operations, during a press conference.

The U.S. Department of Justice, in turn, has filed in absentia charges against two Russian citizens, Artur Sungatov and Ivan Gennadievich Kondratiev (also known as Bassterlord), for their involvement in LockBit attacks.

It is believed that since January 2021, Sungatov has employed the LockBit encryptor to launch attacks on “manufacturing, logistics, insurance, and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.”

According to the Department of Justice, Kondratiev has been using LockBit since August 2021, targeting attacks “on municipal and private facilities in Oregon, Puerto Rico, and New York, as well as other targets located in Singapore, Taiwan, and Lebanon.” In a separate indictment, Kondratiev is also linked to the use of the REvil malware in 2020 to extort money from an unnamed company in Alameda County.

In response, the U.S. Department of the Treasury announced sanctions against Sungatov and Kondratiev.

It is noteworthy that the data leak site, which hackers typically used to publish stolen information from victim companies and extort them, is now “leaking” information about LockBit itself.

Police arrested several LockBit participants and released a decryptor

Based on the countdown timers, by the end of the week, law enforcement may reveal the identity of the group’s administrator, known as Lockbitsupp (or offer a substantial reward for any information about him), and disclose information about the hackers’ cryptocurrency assets. Reports by SecureWorks and TrendMicro dedicated to the operations of LockBit and the malware itself will also be published.

Among the data already released by law enforcement, screenshots of the LockBit backend can be highlighted.

Police arrested several LockBit participants and released a decryptor

As for the captured cryptocurrency wallets of the group, it is currently unclear how much funds they contained. However, it is likely that now some companies that suffered from LockBit attacks will be able to recover the ransoms paid to the hackers, similar to how Colonial Pipeline managed to do so in 2021.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment