Six issues we realized from the LockBit takedown


A big legislation enforcement operation carried out this week by the UK’s Nationwide Crime Company. eliminated LockBitthe infamous Russia-linked ransomware gang that has been wreaking havoc on companies, hospitals, and governments world wide for years.

The motion noticed the LockBit leak web site destroyed, its servers seized, a number of arrests made and US authorities sanctions utilized in what is likely one of the largest operations carried out to this point towards a ransomware group.

It is also, arguably, one of the unprecedented takedowns we have seen, with UK authorities saying the seizure of LockBit’s infrastructure on the group’s personal leak web site, which now hosts a number of particulars concerning the inside workings of the gang – with the promise of discovering out extra. come.

Here is what we have realized up to now.

LockBit did not delete victims’ knowledge, even when they paid

It has lengthy been suspected that paying a hacker’s ransom is a big gamble and doesn’t assure that stolen knowledge will likely be deleted. Some sufferer corporations have even declared this, claiming that they “can not assure” that their knowledge will likely be erased.

The LockBit withdrawal confirmed to us that this was completely the case. The NCA revealed that among the knowledge discovered on LockBit’s seized techniques belonged to victims who had paid a ransom to the menace actors, “proving that even when a ransom is paid, it doesn’t assure that the information will likely be deleted , regardless of what the criminals stated.” promised”, the The NCA stated in a press release.

Even ransomware gangs fail to patch vulnerabilities

Sure, even ransomware gangs are sluggish to repair software program bugs. In keeping with a malware analysis group vx-underground Citing LockBitSupp, the alleged chief of the LockBit operation, legislation enforcement hacked the ransomware operation’s servers utilizing a recognized vulnerability within the in style net coding language PHP.

The vulnerability used to compromise its servers is tracked as CVE-2023-3824a distant execution flaw mounted in August 2023, giving LockBit months to repair the bug.

“FBI screwed servers through PHP, backup servers with out PHP can’t be touched,” reads the translated message from LockBitSupp to vx-underground, initially written in Russian.

Ransomware removals take a very long time

The takedown of LockBit, formally often called “Operation Cronos,” took years, in response to European legislation enforcement company Europol. The company revealed Tuesday that its investigation into the infamous ransomware gang started in April 2022, about two years in the past, on the request of French authorities

Since then, Europol stated its European Cybercrime Heart, or EC3, has held greater than two dozen operational conferences and 4 week-long technical sprints to develop strains of inquiry earlier than the ultimate part of the investigation: this week’s withdrawal.

LockBit hacked over 2,000 organizations

LockBit, which first entered the aggressive cybercrime scene in 2019, has lengthy been recognized to be one in every of, if not essentially the most, prolific ransomware gangs.

Tuesday’s operation all however confirms it, and the U.S. Division of Justice now has the numbers to again it up. In keeping with the DOJ, LockBit has had greater than 2,000 victims in the US and world wide and obtained greater than $120 million in ransoms.

Sanctions focusing on key LockBit member might have an effect on different ransomware

Probably the greatest members at LockBit indicted And sanctioned Tuesday is a Russian nationwide, Ivan Gennadievich Kondratiev, who U.S. authorities say is concerned in different ransomware gangs.

In keeping with the US Treasury, Kondratiev additionally has ties to REvil, RansomEXX and Avaddon. Whereas RansomEXX and Avaddon are lesser-known variants, REvil was one other Russian-based ransomware variant that gained notoriety due to high-profile hacks, making hundreds of thousands in ransom funds hacking of American community surveillance large Kaseya.

Kondratiev was additionally appointed a pacesetter of a just lately leaked LockBit subgroup known as the “Nationwide Hazard Society.” Little continues to be recognized about this LockBit subsidiary, however the NCA has promised to disclose extra within the coming days.

The sanctions successfully prohibit American victims of Kondratiev’s ransomware from paying him the ransoms he calls for. On condition that Kondratiev is concerned in at the least 5 completely different ransomware gangs, the sanctions are prone to make his life 5 occasions harder.

The British have a humorousness

Some individuals (me, a Brit) would say we already knew that, however the LockBit affair confirmed us that the British authorities have a humorousness.

Not solely did the NCA mock LockBit by mimicking the gang’s darkish net leak web site for its personal LockBit-related revelations. We discovered varied Easter eggs hidden on the now seized LockBit web site. Our favourite are the completely different file names for the positioning’s photos, which embody “oh expensive.png”, “doesn’t_look_good.png” and “this_is_really_bad.png”.

a photo of several open Tor tabs, with file names like “oh my god.png," "dont_look_good.png" And "this_is_really_bad.png."

Picture credit: TechCrunch


Leave a Comment

Your email address will not be published. Required fields are marked *