HACKING THE HACKERS: FBI, law enforcement agencies from 11 other countries shut down ransomware websites of notorious cybercriminal group
By bellecarter // 2024-02-23
Copy
 
The Federal Bureau of Investigation (FBI) and law enforcement agencies from 11 other countries, including the National Crime Agency (NCA) of the United Kingdom, have engaged in a cyber operation that seized LockBit, a cybercriminal group proposing ransomware as a service. The said attack was able to shut down the websites that it uses for payments of the recovery of a victim's data that the cyber-terrorists have blocked using crypto virological malware. "This site is now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, 'Operation Cronos,'" a notice on Lockbit's website read. According to FBI officials, the agencies were able to strike down 11,000 domains used by LockBit and its affiliates to facilitate ransomware. "LockBit has caused enormous harm and cost – no longer," Graeme Biggar, NCA's director general, said at a press conference. "We have hacked the hackers, we have taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems." The operation has already led to four arrests and the authorities promised on Tuesday, Feb. 20, to repurpose the technology to expose the group's operations to the world. Europol – the international law enforcement agency of the European Union – said that two had been arrested in Poland and Ukraine and that two other defendants, thought to be affiliates, had been arrested and charged in the United States. Two more individuals – both Russians – have been named but are still at large. Authorities have also frozen more than 200 cryptocurrency accounts linked to the group. Agents seized control of Lockbit's equipment, including servers with victim data, file-share servers, and communication servers, he said. That will help authorities return stolen data to the companies and other organizations hacked by LockBit. "We'll be notifying victims here soon," Leatherman said in an interview. LockBit, which specializes in using malicious software known as ransomware to encrypt files on its victims' computers then demanding payment to unlock the files, was responsible for temporarily disrupting $26 trillion worth of assets in the U.S. Treasury market last year. LockBit has also claimed 1,600 victims in the U.S. and 2,000 internationally, according to the FBI. A majority are within the private sector, and the FBI said it is tracking 144 million ransoms paid about LockBit attacks. (Related: Global cybercrime kingpin BUSTED in crackdown involving multiple law enforcement agencies.) "This is a righteous, serious blow against a malevolent actor that has caused financial losses and real suffering all over the world," said Sandra Joyce, vice president of Mandiant Intelligence, part of Google Cloud. "We couldn’t hope for much more in terms of a disruption to ransomware operations. This is the model we hope to see more of moving forward."

LockBit still afloat as another ransomware linked to it spreads online

Just a couple of days after international law enforcement cooperated to strike down one of the most prolific internet ransomware criminal groups, experts have detected a new round of attacks that are installing malware associated with LockBit. The said attacks were reportedly exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise, Ars Technica reported.  According to security firms SophosXOps and Huntress, the hackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware. "We can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown," John Hammond, principal security researcher at Huntress, wrote in an email. "While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement." Hammond said the ransomware is being deployed to "vet offices, health clinics, and local governments." The security firms didn't say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren't part of the official operation. "When builds are leaked, it can also muddy the waters with regards to attribution," researchers from security firm Trend Micro said. "For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit." Check out CyberWar.news for more stories similar to this. Watch the video below that talks about ransomware attacks, where victims are left without water or money access. This video is from the InfoWarSSideBand channel on Brighteon.com.

More related stories:

Will hackers cripple America with a cyberattack? Expert says it might happen in 2024. FBI warns of "Phantom Hacker" scams WIPING OUT senior citizens' life savings. How to survive a cyber attack TAKEDOWN of America.

Sources include:

Bloomberg.com TheGuardian.com ArsTechnica.com Brighteon.com
Copy