Russians Named as West Smashes Lockbit Ransomware Gang

The United States has issued an indictment for two Russians allegedly behind the notorious Lockbit ransomware gang, which was severely disrupted early this week by a rare international cyber operation.

The cyber division of Britain’s National Crime Agency (NCA) infiltrated the cybercrime group’s systems and stole its data, before taking down Lockbit’s site on the dark web.

The UK agency – working with the FBI, European police, the US Department of Justice, and other enforcement partners – posted news of its breakthrough on the Lockbit site (seen above) and revealed of their joint operation to the press on Tuesday. Police in Poland and Ukraine made two arrests.

ALSO SEE: China Banks Approve $17bn For Housing as Policy Debate Rages

The US indictment was made public as American, British and other international law enforcement partners gathered in London to announce the strike against the cybercrime gang, which has targeted over 2,000 companies and groups worldwide.

Lockbit had received more than $120 million in ransom payments and demanded hundreds of millions of dollars, US officials said.

The agencies also took the extraordinary step of using Lockbit’s own website to release internal data about the group itself.

‘We hacked the hackers’

“We have hacked the hackers,” Graeme Biggar, director-general of the National Crime Agency, told journalists. “We have taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems.”

The takedown, dubbed “Operation Cronos” was an international coalition of 10 countries, he said. “Together, we have arrested, indicted or sanctioned some of the perpetrators and we have gained unprecedented and comprehensive access to Lockbit’s systems”.

“As of today, Lockbit is effectively redundant,” he added. “Lockbit has been locked out.”

Deputy US Attorney General Lisa Monaco said: “We have now destroyed the online backbone of the Lockbit group, one of the world’s most prolific ransomware gangs.

“But our work does not stop here: together with our partners we are turning the tables on Lockbit — providing decryption keys, unlocking victim data and pursuing Lockbit’s criminal affiliates around the globe.”

Meanwhile, the indictment unsealed in New Jersey charges Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with using Lockbit ransomware to target victims in manufacturing, logistics, insurance and other companies in five states and Puerto Rico, as well as in semiconductor and other industries around the world.

Additional criminal charges against Kondratyev were unsealed on Tuesday related to his use of ransomware in 2020 against a victim in California, the Justice department said.

Both men were also sanctioned by the US Treasury.

In November last year, Lockbit published internal data from Boeing, one of the world’s largest defence and space contractors, and said the US unit of China’s ICBC paid a ransom following an attack that disrupted trades in the US Treasury market.

In early 2023, Britain’s Royal Mail also faced severe disruption after an attack by the group.

Servers seized, crypto accounts frozen

Ransomware is malicious software that encrypts data; Lockbit and its affiliates made money by coercing targets into paying a ransom to decrypt or unlock that data with a digital key. The gang’s digital extortion tools have been used against some of the world’s largest organisations in recent months.

Its affiliates are like-minded criminal groups that Lockbit recruits to wage attacks using those tools. Those affiliates carry out the attacks, and provide Lockbit a cut of the ransom, which is usually demanded in the form of cryptocurrency, making it harder to trace.

Operation Cronos seized 34 of Lockbit’s servers, arrested two members of the gang, froze 200 cryptocurrency accounts, and closed 14,000 “rogue accounts” used online to launch Lockbit’s operations, the police agencies said.

Lockbit has caused monetary losses totalling billions for businesses, the NCA’s Biggar said, as firms not only had to pay ransom payments, but also shoulder the cost of getting their systems back online.

Before it was taken down, Lockbit’s website displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.

On Tuesday, the Lockbit leak website had been transformed by the NCA, FBI and Europol into a leak site about the criminal gang itself, onto which international police agencies published internal data from inside the group, and countdown clocks threatening to reveal upcoming sanctions and the identity of Lockbit’s ringleader, “LockbitSupp”.