The international fight against ransomware criminals

Author Moonshot.news

Published on: 21/02/2024

Cyber risks are top concerns for companies. Authorities from 10 countries say they have now disrupted the criminal operation of the LockBit ransomware group – one of the world’s most prolific and harmful ransomware, causing billions of euros worth of damage, according to Europol. 37% of companies believe they are “highly” or “extremely” exposed to cyber risks, according to a report by consultancy PwC. 

LockBit first emerged at the end of 2019, first calling itself ‘ABCD’ ransomware. In 2022 it became the most deployed ransomware variant across the world.

The group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.

LockBit’s attacks are seen globally, with hundreds of affiliates recruited to conduct ransomware operations using LockBit tools and infrastructure, according to Europol. 

“Ransom payments were divided between the LockBit core team and the affiliates, who received on average three-quarters of the ransom payments collected.”

“The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms.” 

“Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks as an additional layer of pressure.”

Europol says that in a significant breakthrough in the fight against cybercrime, law enforcement now have disrupted LockBit ransomware group at every level, severely damaging their capability and credibility.

“The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.”

Two arrests were made in Poland and other arrests warrants were issued. Authorities have frozen more than 200 cryptocurrency accounts.

The UK’s National Crime Agency has now taken control of the technical infrastructure that allows all elements of the LockBit service to operate, as well as their leak site on the dark web, on which they previously hosted the data stolen from victims in ransomware attacks.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities”, Europol says. 

Ransomware criminals steal about 10 terabytes of data each month, according to an earlier report by the European Union Agency for Cybersecurity (ENISA).

“An analysis indicates that a large number of affected companies pay the cyber criminals. Publicly reported ransomware incidents are only the tip of the iceberg”, ENISA says. 

With Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation have developed decryption tools designed to recover files encrypted by the LockBit Ransomware.

These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages. 

Europol says that so far, more than 6 million victims across the globe have benefitted from No More Ransom.

This international sweep against LockBit follows an investigation led by the UK National Crime Agency in the framework of an international taskforce called ‘Operation Cronos’, coordinated at European level by Europol and Eurojust.