These cybercriminals have claimed responsibility for at least 1,700 attacks since 2020. Its main site is now offline and has been targeted by a coordinated police operation from 11 countries, including France.
According to Europol, it is the “most prolific and dangerous ransomware group in the world.” The Russian-speaking hacker group Lockbit, which was first discovered in 2019, is said to have collected a total of around $91 million in ransom money. The headquarters was dismantled by law enforcement on February 19 during Operation Cronos, an offensive by 11 countries including the United Kingdom, the United States and the United States, Japan, Germany, but also France.
“This website is now under law enforcement control,” says a message on the homepage, saying that the British Organized Crime Agency (NCA), in collaboration with Europol, the American FBI and authorities from several countries, including the National Cyber, unit of the National Gendarmerie.
In France, in 2022, the group particularly targeted the Corbeil-Essonnes hospital, demanding $1 million not to publish its sensitive information. Among the other victims: La Poste Mobile, the Loiret department or a branch of the Thales group, which makes him a head that must be killed.
Two arrests in Poland and Ukraine
Europol states in a press release that it “disrupted LockBit’s criminal operations at all levels and severely damaged its capacity and credibility.” The international police organization speaks of a “long-term operation lasting several months” that enabled the shutdown of 34 servers in several countries and the arrest of two of the group’s actors, who were arrested “at the request of the French judicial authorities” in Poland and Ukraine.
In addition, three international arrest warrants and five indictments were issued by French and American authorities. More than 200 cryptocurrency wallets linked to LockBit were frozen and 14,000 “unauthorized” accounts were closed.
The British authorities claim in a press release to have obtained the source code of the LockBit platform and extensive information about the group, and also announce that they have taken control of the software that allows LockBit partners to carry out their attacks.
The hackers had set up a “wall of shame” on their main page, where they published the names of their victims, revealed the amount of the ransom and published the stolen data.
The group “the most active and destructive”
The hacker group specializes in “ransomware” attacks. It infiltrates the system, encrypts and blocks data, demanding a ransom for not sharing it. If the victim does not pay the requested amount, all files are posted online or resold. In November 2022, the US Department of Justice described LockBit ransomware as “the most active and destructive variant in the world.” In France, the group was responsible for 27% of ransom demands in 2022 and 2023 and the National Information Systems Security Agency (Anssi) processed 69 hacks attributed to it.
Also read: Cybersecurity: Record year for ransomware to hit global businesses
These hackers are used to attacking critical infrastructure and large industrial groups, with ransom demands ranging from 5 to 70 million euros. Abroad, in 2023, Lockbit notably attacked the Royal Mail (the British postal service), the German automotive supplier Continental, the California government and even the American sandwich chain Subway.
Hit but not dismantled
However, be careful not to declare victory too quickly: on X (formerly Twitter), malware specialists vx underground Note that “law enforcement agencies have seized or destroyed at least 22 websites linked to Lockbit.” Note that the LockBit ransomware operation can continue even if the main site is offline and other subsites are still accessible.
Also read Dark Web, Encrypted Networks and Ransomware: Dive into the dark world of cybercriminal trackers
Many hacker groups have been allegedly “busted” in recent years and quickly re-emerged. If one head is cut off, others will grow back just as quickly. Especially since some of these pirates are often in Russia and are therefore safe from the police forces looking for them. Others are “affiliated” hackers, independent hackers who use the Lockbit software and pay them a percentage of the ransom they receive. They are therefore more difficult to identify and can live anywhere in the world.
The media spotlight, covert operations and notoriety that LockBit now enjoys in the world of cybercrime have, like other groups, “transformed it into a criminal enterprise, with its administrators, hackers renting the software, negotiation and communication services.” . , as detailed by specialist media Cialis© Numerama. In a joint memo, cybercrime authorities noted that LockBit was responsible for 16 to 27% of ransom demands, depending on the country.
Currently, “a large amount of the data collected as part of the investigation is in the possession of law enforcement authorities,” notes Europol. To help LockBit victims, authorities in the countries involved in Operation Cronos have provided decryption tools to recover data damaged by the attacks. They are available on the No More Ransom portal.