They were the hunters, now they are the hunted. The tide has turned for LockBit cybercriminals, targeted earlier this week by a major international police operation. On Tuesday noon, the English, American and European police – Canada, Japan, New Zealand, Switzerland and Ukraine were also involved – even allowed themselves to thumb their noses particularly fiercely at the ransomware gang, the number one mafia franchise of the moment, by hijacking its website dedicated to data leaks.
As Europol explains, Operation Cronos, its name, significantly disrupted the capabilities of this criminal group. The National Crime Agency, the English police, thus took control of LockBit’s technical infrastructure. As a result, it is now possible to decrypt files that would have been locked by the gang by visiting the “No More Ransom” initiative website.
Two arrests
The police – in France, the gendarmes of the national cyber unit are in action – also managed to seize 34 servers and freeze more than 200 cryptocurrency accounts linked to the criminal organization. At the request of French justice, two suspects were finally arrested in Poland and Ukraine.
The criminal group has been targeted by a police investigation since September 2020. It had been opened by the Paris prosecutor’s office. In a June 2023 count, the famous gang, which had for example targeted Voyageurs du Monde or the Corbeil-Essonnes hospital, was judged responsible for 11% of the ransomware attacks monitored by Anssi since 2020, i.e. a total of 69 raids.
France had already succeeded in obtaining the arrest in Canada in the fall of 2022 of Mikhail Vasiliev, a hacker suspected of being one of LockBit’s affiliates. The latter, also targeted by an American extradition request, has just pleaded guilty before Canadian justice.
Historical affiliates
After the seizure of the LockBit site, two other suspects have just been named by American justice. Artur Sungatov and Ivan Kondratyev, two Russian nationals, are suspected of being behind numerous attacks carried out by LockBit in the United States.
An FBI representative told Cyberscoop that these were early affiliates of the gang – Kondratyev would be “Bassterlord”, according to the prosecution, an Internet user who had, for example, claimed an intrusion into the giant of the TSMC electronics. In total, five people suspected of being linked to the gang are currently being prosecuted by American justice.
Of course, it is unknown where the two Russians targeted by the new indictment live. If they reside in their country, they are unlikely to be extradited. But after this police coup, the reputation of the cybercriminal group, which could quickly relaunch a new showcase site, has just taken a hit. And while it is likely that other mafia franchises will quickly fill the void, cybercriminals will need a little time to restart their extortions.
What to expect
Because other arrests expected in the coming months could once again reshuffle the cards. As Europol recalled, “a large quantity of data is now in the possession of law enforcement”. The latter should give a significant boost to investigations aimed at identifying the leaders of the gang, its developers, its affiliates, or even its bankers dedicated to money laundering.
A page on the site seized by the police, for example, suggests that the identity of LockBitSupp, the leader of the gang, could be revealed within the week, or at least be the subject of a large reward. Likewise, affiliates attempting to connect to the administration panel saw a police message displayed, the latter emphasizing that private correspondence was now in the possession of the police, noted the X account of computer security researchers VX-Underground.
LockBit appeared in September 2019. Then known as ABCD Ransomware, in just a few years it had become the number one franchise in this criminal industry. A position at the top which flattered the ego of this start-up-like gang, both hungry for notoriety and innovation. For example, cybercriminals had launched a bug bounty program.
Quite typically, LockBit rented its infrastructure for a percentage, generally 25%, of the ransoms obtained. The gang ransomed its victims through double or triple extortion – file encryption, threats of disclosure of stolen data and denial of service attacks. According to the American justice system, cybercriminals targeted more than 2,000 victims and obtained more than 120 million dollars in ransom, causing billions of dollars in damage in the process.