"This site is now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, 'Operation Cronos,'" a notice on Lockbit's website read.
According to FBI officials, the agencies were able to strike down 11,000 domains used by LockBit and its affiliates to facilitate ransomware. "LockBit has caused enormous harm and cost – no longer," Graeme Biggar, NCA's director general, said at a press conference. "We have hacked the hackers, we have taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems."
The operation has already led to four arrests and the authorities promised on Tuesday, Feb. 20, to repurpose the technology to expose the group's operations to the world. Europol – the international law enforcement agency of the European Union – said that two had been arrested in Poland and Ukraine and that two other defendants, thought to be affiliates, had been arrested and charged in the United States. Two more individuals – both Russians – have been named but are still at large. Authorities have also frozen more than 200 cryptocurrency accounts linked to the group.
We are building the infrastructure of human freedom and empowering people to be informed, healthy and aware. Explore our decentralized, peer-to-peer, uncensorable Brighteon.io free speech platform here. Learn about our free, downloadable generative AI tools at Brighteon.AI. Every purchase at HealthRangerStore.com helps fund our efforts to build and share more tools for empowering humanity with knowledge and abundance.
Agents seized control of Lockbit's equipment, including servers with victim data, file-share servers, and communication servers, he said. That will help authorities return stolen data to the companies and other organizations hacked by LockBit. "We'll be notifying victims here soon," Leatherman said in an interview.
LockBit, which specializes in using malicious software known as ransomware to encrypt files on its victims' computers then demanding payment to unlock the files, was responsible for temporarily disrupting $26 trillion worth of assets in the U.S. Treasury market last year.
LockBit has also claimed 1,600 victims in the U.S. and 2,000 internationally, according to the FBI. A majority are within the private sector, and the FBI said it is tracking 144 million ransoms paid about LockBit attacks. (Related: Global cybercrime kingpin BUSTED in crackdown involving multiple law enforcement agencies.)
"This is a righteous, serious blow against a malevolent actor that has caused financial losses and real suffering all over the world," said Sandra Joyce, vice president of Mandiant Intelligence, part of Google Cloud. "We couldn’t hope for much more in terms of a disruption to ransomware operations. This is the model we hope to see more of moving forward."
Just a couple of days after international law enforcement cooperated to strike down one of the most prolific internet ransomware criminal groups, experts have detected a new round of attacks that are installing malware associated with LockBit.
The said attacks were reportedly exploiting two critical vulnerabilities in ScreenConnect, a remote desktop application sold by Connectwise, Ars Technica reported. According to security firms SophosXOps and Huntress, the hackers who successfully exploit the vulnerabilities go on to install LockBit ransomware and other post-exploit malware.
"We can't publicly name the customers at this time but can confirm the malware being deployed is associated with LockBit, which is particularly interesting against the backdrop of the recent LockBit takedown," John Hammond, principal security researcher at Huntress, wrote in an email. "While we can't attribute this directly to the larger LockBit group, it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement." Hammond said the ransomware is being deployed to "vet offices, health clinics, and local governments."
The security firms didn't say if the ransomware being installed is the official LockBit version or a version leaked by a disgruntled LockBit insider in 2022. The leaked builder has circulated widely since then and has touched off a string of copycat attacks that aren't part of the official operation.
"When builds are leaked, it can also muddy the waters with regards to attribution," researchers from security firm Trend Micro said. "For example, in August 2023, we observed a group that called itself the Flamingo group using a leaked LockBit payload bundled with the Rhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon, impersonating LockBit. The group used email addresses and URLs that gave victims the impression that they were dealing with LockBit."
Check out CyberWar.news for more stories similar to this.
Watch the video below that talks about ransomware attacks, where victims are left without water or money access.
This video is from the InfoWarSSideBand channel on Brighteon.com.
Will hackers cripple America with a cyberattack? Expert says it might happen in 2024.
FBI warns of "Phantom Hacker" scams WIPING OUT senior citizens' life savings.
How to survive a cyber attack TAKEDOWN of America.