Ransomware: Investigators report new successes in the fight against Lockbit
In addition to arrests in France and the UK, international law enforcement agencies disrupted the blackmailers' infrastructure – and sanctions were imposed.
Screenshot of the Lockbit blog taken over by investigators in February
(Image: Screenshot: heise security)
The Cronos investigative group led by the British NCA and the US Department of Justice has once again reported successes in the fight against the Lockbit ransomware gang. The law enforcement agencies published details of arrests, seizures and sanctions in a press release and on a darknet leaks site. In several locations, investigators arrested Lockbit affiliates, i.e. independent criminals who were allowed to use the gang's software and infrastructure in exchange for a share of the ransom.
Arrests in France, Spain and the UK
In France, a "major Lockbit player" was caught by the investigators, according to the press release. The person, whose personal details were not published by the French authorities, was apparently caught on vacation outside Russia and is now facing extradition to France. He is said to be one of the developers of the ransomware.
The British NCA reports two arrests in connection with the ransomware gang from its home country. The suspects are accused of being involved in extortion and money laundering for the Lockbit gang – the investigators say they were put on the men's trail by the Lockbit data captured in February.
Meanwhile, the Spanish Guardia Civil took action at Madrid airport: they arrested the operator of a "bullet proof hoster" who had enabled the operation of Lockbit servers in his data center. The Guardia Civil confiscated a total of nine servers and thus obtained information about the gang and its activities.
Videos by heise
Sanctions against Evil Corp
Investigators also claim to have unmasked a member of an older cybercrime syndicate as a Lockbit "affiliate". Before his involvement in the activities of the ransomware gang, the Russian Aleksandr R. was active in "Evil Corp", a group based in Russia, just like many Lockbit members. Evil Corp had developed the malware Dridex and BitPaymer and used them in attacks.
For five years, several members of the group have been wanted by the US government with seven-figure rewards, and today the US Department of Justice brought charges against him – for his involvement in cyber attacks. Together with the UK and Australia, the US government has also issued economic sanctions against seven members of Evil Corp and two suspected front companies of the criminal gang.
Lockbit activities have decreased
Meanwhile, the darknet leak sites of the Lockbit gang are still online, so the NCA has not been able to get hold of them. Instead, it used an older site for its announcement, which it came across during the operation in February of this year. Since then, the investigators have repeatedly used the website on the Tor network to make announcements aimed at sowing distrust among gang members.
The remaining affiliates are still attacking organizations worldwide with ransomware, but the volume of their attacks has shrunk considerably. In addition, the operators of the Lockbit leak sites have been caught several times falsifying entries – probably to feign activity. The investigators are chalking this up to the success of "Operation Cronos": the past six months have not been good for Lockbit, the NCA said in a statement.
(cku)
