The world’s most dangerous ransomware gang has been dismantled after an international operation
-
The UK National Crime Agency (NCA) led “Operation Chronos”.
-
Police officers arrested two people of Russian nationality associated with the group
-
They also took control of about thirty servers located in various European countries.
The security forces of a dozen countries have suffered a major setback. hit the lockbit, We are talking about the most prolific group of hackers in the world whose most recent attacks have reached the Port of Lisbon, the Chinese bank ICBC and the City Council of Seville. After gaining millions of dollars from its illegal activity in just four years, the group would have been dismantled.
At least this is the information we get from the United Kingdom’s National Crime Agency (NCA), which has led an international operation called “Operation Chronos” with the assistance of Europol and Eurojust. They say this resulted in a “disruption at all levels” of Lockbit’s activity, the arrest of two gang members, and the seizure of over 200 cryptocurrency accounts.
lockbit, against the ropes
The biggest impact for Lockbit has been the loss of much of its criminal infrastructure. According to officials, members of the operation managed to gain control of most of its systems after infiltrating In those. In this way, 34 servers located in the Netherlands, Germany, Finland, France, Australia, the United States, the United Kingdom and Switzerland are no longer operational.
Lockbit had a dark web page that was in contact with hardcore attack groups and was also the primary source for the group to publish threats and stolen victim data. Currently, if we want to access this page through the Tor network we get the message that we can see in the cover image that shows intervention by police forces.
The NCA claims that they have also obtained the source code of the Lockbit platform and important historical information about the group’s activity. For example, What other groups have you worked with?, This heavily damages Lockbit’s credibility in the cyber crime world, mainly if we take into account that its business plan is Ransomware as a Service (RaaS).
It is expected that the contents of the seized servers will help support parallel investigations to find other groups of cyber criminals. As we speak, the operation has also resulted in the arrest of two people of Russian nationality belonging to the original group. One of these was in Poland and the other in Ukraine. Both suspects have received indictments from the United States.
Police forces from France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the United Kingdom, the United States, and Switzerland participated in “Operation Chronos”. However, received support Finnish National Police, Central Cybercrime Bureau in Kraków (Poland), New Zealand Police, Prosecutor General’s Office of Ukraine, Cybersecurity Department of Ukraine and National Police of Ukraine.
Ransomware as a Service and Encryption Keys
Lockbit has promoted a strange, but already traditional, cybercrime model. This is the aforementioned Ransomware as a Service (RaaS), which is a malicious counterpart to the legal Software as a Service (SaaS) model. In this scheme, Lockbit has been in charge of developing the ransomware and offering it to other followers, i.e. malicious actors who are willing to pay to use it.
When Lockbit ransomware infects a system, data on the victim’s system becomes encrypted and inaccessible. Then the attackers request ransom payment To provide decryption keys to cryptocurrencies that allow them to be restored to their original state. Sometimes threats are also made to publish encrypted data if ransom is not paid.
Operation Chronos has allowed us to discover two very interesting pieces of information. On the one hand, Lockbit may not always have deleted the data of victims who paid the ransom. And this is especially sensitive in the case of companies that have fallen into the trap. On the other hand, more than 1,000 decryption keys have been obtained that can help victims recover their data without paying any ransom.
The NCA has promised to contact UK victims “in the coming days and weeks” so they can access keys, In any case, it is expected that these will be added to the “No More Ransoms” page controlled by Europol. Victims of hack attacks will be able to use this resource to find the latest Lockbit decryption keys.
Images: NCA
In Xataka: America is not the biggest threat to China in the field of cyber security. The most feared country is India