Info@NationalCyberSecurity
Info@NationalCyberSecurity
0

Seven are arrested and three more on the run after British-led clampdown on gang ‘hiding in the shadows’ in Putin’s pariah state | #ransomware | #cybercrime



By Rory Tingle, Home Affairs Correspondent For Mailonline

14:25 20 Feb 2024, updated 14:37 20 Feb 2024



The world’s most dangerous ransomware gang has been shut down in an operation led by ‘Britain’s FBI‘ – with seven arrested and three on the run after police infiltrated the network of hackers ‘hiding in the shadows’ in Putin’s Russia

Lockbit has been causing havoc by hacking into computer systems and stealing sensitive data which it then threatens to release unless the victims pay an extortionate ransom – with the group earning $120million (£95m).  

The Russian-speaking hackers make money by selling their services to fellow crime gangs, with targets including Royal Mail, the NHS, Porton Down, a nuclear submarine base and hundreds of companies in the UK and abroad.

The National Crime Agency called the group the ‘Rolls-Royce’ of ransomware and said it behaved like a ‘legitimate businesses’, with a ‘slick, easy to use’ website and marketing gimmicks including $1,000 for anyone who gets a tattoo of its logo.

Seven suspects have been arrested so far and five people have been charged, including two Russians, Mikhail Vasiliev, who is being held in Canada, and Ruslan Magomedovich Astamirov, who is in the US. 

The remaining three – Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev – remain at large. The FBI is offering a $10million reward for information leading to the arrest of Matveev, who goes by the alias ‘Wazawaka’. 

Mikhail Pavlovich Matveev is one of five Russians charged over Lockbit, which has been described as the world’s most dangerous ransomware gang
Visitors to the Lockbit website now see a message saying it is ‘under the control of law enforcement’
The NCA today released a video revealing how the group operates

Visitors to its Lockbit’s homepage on the dark web now see a message revealing it is ‘under the control’ of The National Crime Agency, which targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol.

They said the ‘permissive environment’ in Russia allowed the group to operate – with gangsters never targeting nations in the former Soviet Union – but do not believe the the regime of Vladimir Putin was directly involved. 

Lockbit was recently revealed to have stolen secret military and defence material from the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons lab and a GCHQ listening post. This was then shared on the dark web.

Information about a specialist cyber defence site and some of Britain’s high security prisons was also stolen in the raid on Zaun, which makes fences for maximum security sites. 

Lockbit also hacked the Royal Mail Group in January and made ransom demands of £66million at the time. The company did not pay the extortionate fee but saw its services disrupted and had to spend £10million on anti-ransomware software.

It has also been linked to attacks on international law firm Allen and Overy and China’s biggest bank, ICBC. 

Representatives from the NCA and FBI today confirmed that they had disrupted the gang and said the operation was ‘ongoing and developing’.

What is ransomware?

Cybercriminals mounting a ransomware attack first hack into a computer system before using ‘blockers’ to stop their victim accessing their device.

This may include a message telling them this is due to ‘illegal content’ such as porn being identified on their device.

Hackers then ask for a ransom to be paid, often in the form of Bitcoins or other untraceable cryptocurrencies, for the block to be removed.

In Lockbit’s case, the gang stole sensitive information and threatened to release it in public if no ransom was paid.  

In May 2017, a massive ransomware virus attack called WannaCry spread to the computer systems of hundreds of private companies and public organisations across the globe.

NCA Director General, Graeme Biggar, said Lockbit had been the ‘most prolific’ ransomware group in the last four years, responsible for 25 per cent of attacks in the last year. 

He told a press conference in London that there were at least 200 victims in the UK and thousands abroad, leading to billions of pounds worth of damages – both in ransom payments and the cost of responding to attacks. 

‘We have hacked the hackers, taken control of their infrastructure and seized their source code,’ Mr Biggar said. 

‘We have arrested, indicted and sanctioned some of the perpetrators and gained intelligence on the criminals using the software – who we will now continue to pursue. 

‘As of today, Lockbit is effectively redundant – Lockbit has been locked out.’

Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.

He said: ‘LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.

‘That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.

‘Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.

‘They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.’

Experts said that while LockBit may rebuild its network, the law enforcement action is a major setback.

Five defendants have been charged so far for launching ransomware attacks using Lockbit, including two Russian nationals.

Infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has been seized, together with 200 cryptocurrency accounts. 

There are more than 200 victims in the UK and thousands internationally.

NCA investigators found that the gang behind the ransomware attacks did not always delete data when victims paid ransoms.

It said it has found more than 1,000 decryption keys held by the group and will be contacting UK-based victims to help them recover encrypted data.

Lockbit either carries out attacks for its own gain or is paid by so-called affiliates – made up of like-minded international gangsters. 

The NCA has now seized Lockbit’s site and is publishing information to aid victims
British police targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol

The gang accounted for 23 per cent of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks. 

The group was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia.

It has not professed support for any government, however, and no government has formally attributed it to a nation-state.

On its now-defunct site, Lockbit said it was ‘located in the Netherlands, completely apolitical and only interested in money’.

Officials in the United States, where the group has hit more than 1,700 organisations in nearly every industry from financial services and food to schools, transportation and government departments, have described it as the world’s top ransomware threat.

READ MORE: Fears Russians are behind massive cyberattack that saw hackers access millions on electoral register 

‘They are the Walmart of ransomware groups, they run it like a business – that’s what makes them different,’ said Jon DiMaggio, chief security strategist at Analyst1, a US-based cybersecurity firm. ‘They are arguably the biggest ransomware crew today.’

In November last year, Lockbit published internal data from Boeing, one of the world’s largest defence and space contractors.

Lockbit said in a statement in Russian and shared on Tox, an encrypted messaging app, that the FBI hit its servers that run on the programming language PHP. The statement added that it has backup servers without PHP that ‘are not touched’.

On X, screenshots showed a control panel used by Lockbit’s affiliates to launch attacks had been replaced with a message from law enforcement.

‘We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more’, the message said. ‘We may be in touch with you very soon. Have a nice day’.

The post named other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany. 

Before it was taken down, Lockbit’s website displayed an ever-growing gallery of victim organisations that was updated nearly daily.

Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.

Yesterday, Lockbit’s site displayed a similar countdown, but from the law enforcement agencies who hacked the hackers: ‘Return here for more information at: 11:30 GMT on Tuesday 20th Feb.,’ the post said.

A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire

Don Smith, vice president of Secureworks, an arm of Dell Technologies (DELL.N), opens new tab, said Lockbit was the most prolific and dominant ransomware operator in a highly competitive underground market.

‘To put today’s takedown into context, based on leak site data, Lockbit had a 25% share of the ransomware market. Their nearest rival was Blackcat at around 8.5%, and after that it really starts to fragment,’ Smith said.

‘Lockbit dwarfed all other groups and today’s action is highly significant.’

The Lockbit attack on HMNB Clyde, Porton Down and GCHQ was revealed in September. 

MPs warned that any information which gives security information to the UK’s enemies was of huge concern.

A defence source said the hack was being taken ‘very seriously’ but it was not thought any information was stolen that presented a real threat to national security, and there were currently no ransom demands as the hacked data had already been published.

The leak also included information about security equipment at RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based, and Cawdor Barracks, which has specialist electronic warfare regiments.

And documents relating to high security prisons including Category A Long Lartin in Worcestershire and Whitemoor in Cambridgeshire were also stolen in the hack.

Lockbit are thought to have been behind as many as 1,400 cyber-attacks globally and brought Japan’s busiest cargo port to a shuddering halt in July after attacking the system that manages the movement of containers.

Russian national Magomedovich Astamirov has been charged in the US for ‘involvement in deploying numerous LockBit ransomware and other attacks in the US, Asia, Europe, and Africa’.

And last year the US announced charges against Russian-Canadian Mikhail Vasiliev, who is being held in Canada awaiting extradition.

Lockbit either carries out attacks for its own gain or is paid by other criminal gangs

Another Russian, Mikhail Pavlovich Matveev, is wanted for alleged participation in other Lockbit attacks.

Ransomware is the costliest and most disruptive form of cybercrime, crippling local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice. 

Law enforcement agencies have scored some recent successes against ransomware gangs, most notably the FBI’s operation against the Hive syndicate. But the criminals regroup and rebrand.

The NCA has previously warned that ransomware remains one of the biggest cyber threats facing the UK, and urges people and organisations not to pay ransoms if they are targeted.

Experts have said that LockBit may try to rebuild its operation but Chris Morgan, analyst from cyber security firm ReliaQuest, said the law enforcement action was ‘a significant short-term blow’. 

But Sergey Shykevich, from Check Point Software Technologies’ Threat Intelligence, warned the group could simply re-emerge under a new name. 

‘This latest action by UK and US authorities will be a major setback for their operations, and is likely to degrade their ability to recruit and retain affiliates,’ he said. 

‘However, as we have seen in the past, ransomware gangs are notoriously resilient and may emerge under a different banner in the near future. 

‘The threat from this criminal gang and other ransomware groups will continue, and organisations must be constantly on their guard.’

Q&A: How did ransomware group Lockbit make money and who were its targets? 

How does Lockbit operate?

Rather than conduct an entire criminal operation itself, Lockbit developed the malicious software – ‘ransomware’ – that enables attackers to lock victims out of their computers and networks.

Victims were then told to pay ransom in cryptocurrency in exchange for regaining access to their data. Those who did not pay risked having their data dumped on the dark web.

The ‘Lockbit’ ransomware was first observed in 2020, and made money through up-front payments and subscription fees for the software, or from a cut of the ransom, according to the US Cybersecurity & Infrastructure Security Agency (CISA).

The model is known as ‘Ransomware as a Service’, or RaaS.

Lockbit usually conducted itself as a professional enterprise, seeking feedback from customers – called ‘affiliates’ – and rolling out ransomware improvements.

‘Lockbit operates like a business. They run – or ran – a tight ship, which has enabled them to outlast many other ransomware operations,’ Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, said.

Lockbit is believed to have operated out of multiple locations, and cybersecurity experts say its members were Russian speakers.

How lucrative is ransomware?

In 2023, extortions by ransomware groups exceeded $1 billion in cryptocurrency for the first time, according to data published this month by blockchain firm Chainalysis.

Lockbit has targeted more than 2,000 victims worldwide, receiving more than $120 million in ransom, the US Department of Justice said Tuesday.

These potentially huge payouts have emboldened cybercriminals.

‘Awash with money, the ransomware ecosystem surged in 2023 and continued to evolve its tactics,’ the cybersecurity firm MalwareBytes said in a report published this month.

‘The number of known attacks increased 68 percent, average ransom demands climbed precipitously, and the largest ransom demand of the year was a staggering $80 million.’

That demand came after a LockBit attack severely disrupted Britain’s post operator Royal Mail for weeks.

Who are Lockbit’s victims?

Lockbit ransomware has been used against a wide variety of targets, from small businesses and individuals to huge corporations.

It was used ‘for more than twice as many attacks as its nearest competitor in 2023’, according to MalwareBytes.

The group has gained notoriety and attention from law enforcement agencies after high-profile attacks such as the one on Royal Mail.

Last November, it was blamed for an attack on the US arm of the Industrial and Commercial Bank of China (ICBC) – one of the biggest financial institutions in the world – as well as US aerospace giant Boeing.

In 2022, a Lockbit affiliate attacked the Hospital for Sick Children in Toronto, Canada, disrupting lab and imaging results. LockBit reportedly apologised for that attack.

‘Although Lockbit developers have created rules stipulating that their ransomware will not be used against critical infrastructure, it is clear that Lockbit affiliates largely disregard these rules,’ Stacey Cook, an analyst at the cybersecurity firm Dragos, wrote in a report published last year.

‘Lockbit developers do not appear to be overly concerned with holding their affiliates accountable.’

Who is fighting back, and how?

Lockbit’s growing visibility and its affiliates’ increasing attacks meant law enforcement agencies ramped up their efforts to win this cat-and-mouse game.

An alliance of agencies from 10 nations, led by Britain’s National Crime Agency, on Tuesday said they had disrupted LockBit at ‘every level’ in an effort codenamed ‘Operation Cronos’.

Europol said 34 servers in Europe, Australia, the United States and Britain were taken down and 200 Lockbit-linked cryptocurrency accounts were frozen.

The NCA said the action had compromised Lockbit’s ‘entire criminal enterprise’.

‘This likely spells the end of LockBit as a brand. The operation has been compromised and other cybercriminals will not want to do business with them,’ Emsisoft’s Callow said. 

But in recent years, cybersecurity experts have detected ransomware groups that suspended operations following law enforcement action only to re-emerge under different names.

‘Our work does not stop here. LockBit may seek to rebuild their criminal enterprise,’ NCA Director General Graeme Biggar said in a statement.

‘However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.’



Source link

.........................

National Cyber Security

FREE
VIEW