If you’ve been keeping an eye on the news recently, you’ll know by now that the UK’s National Crime Agency (NCA), aided by law enforcement teams from the FBI and Europol have claimed the scalp of the Internets’ biggest ransomware gang – LockBit.
Over the last year I blogged quite extensively about LockBit’s activities and the misery they have causes to hundreds of organisations all across the globe. Well, that reign of terror has now come to an end.
On the 20th February 2024, the NCA went public in an unprecedented way to announce the compromise and seizure of the infrastructure of the ransomware gang, during what they have called Op Cronos
The work that has gone into the Operation is simply astonishing – The NCA have given a little insight into the operation, and I have no doubt that there will be many, many updates to the story throughout the coming months.
In short, the teams behind this takedown have:
- Dismantled the LockBit data exfiltration network – known as Stealbit – which was used by affiliates to steal victim data. The infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have been taken down.
- Arrested 2 LockBit members in Poland and Ukraine,
- Frozen over 200 cryptocurrency accounts linked to the group.
- Obtained over 1,000 decryption keys which will allow victims to recover their encrypted data
- Identified almost 200 affiliates who gain initial access to victim networks for LockBit to extort
In a timed activity, the US Department of Justice also announced that two defendants responsible for using LockBit to carry out ransomware attacks have been criminally charged, are in custody, and will face trial in the US.
Additionally, the US has also unsealed indictments against two Russian nationals, for conspiring to commit LockBit attacks.
Play them at their own game
Usually, site takedowns simply replace the web page of the darkweb site with the now familiar “this site has been seized” notice, but in this case, the teams behind the takedown have very much played LockBit at their own game by replacing the entire site with a series of copycat messages in the style of the LockBit leaks site, starting with a replacement for the LockBit loading animation
When the site loads, the teams working on the takedown have replaced the LockBit victim list with a series of takedown activities
Each panel describes some of the work undertaken to infiltrate the LockBit network, some of which has obviously taken many months – such as the production of a decryption key for victims to recover their data.
Clicking a panel opens a separate page with some quite revealing data.
Press Release
The press release panel reiterates the fact that the site is now under control of the NCA, and provides links to the three agencies involved, and their official press releases about the takedown:
https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
https://www.europol.europa.eu/node/5666
LockBit Backend Leaks
The Backend Leaks panel gives an idea of the extent of the compromise of the LockBit network by the law enforcement teams, and shows a number of screenshots of some of the backend systems used by LockBit and the fact that the teams have full control over them
One of the screenshots shows some of the chats between the LockBit team and their affiliates
Another shows the malware builder used to deploy the ransomware
A further screenshot shows a list of compromised victims, their ransom demand, and the amount of data stolen
Another screenshot shows the admin panel that LockBit uses to upload the data to their leak site
One screenshot shows the onboarding page for new affiliates who want to work with LockBit to provide initial access to victim systems
Another screenshot shows a partial list of affiliate account statuses, whilst another shows what access rights and capabilities those users have
In another blow to the criminals, another screenshot published by the NCA shows that they have full access to the servers used by the gang to administer their dark web sites
The NCA go as far as to prove that they have root access by showing a screenshot of the /etc/shadow file which holds the password hashes of all accounts on the system – this file is only accessible to the root user account. I would suspect that work is now being undertaken to crack those hashes to recover the plain-text passwords.
Lockbitsupp
This page simply shows that the user who goes by the name lockbitsupp not only has been denied access to their main site, but also that they have been blocked from accessing 2 other sites – exploit.in & xss.is
Who is Lockbitsupp?
This page created a huge amount of traffic online with people eager to find out the identity of the LockBit support account user – the page was initially locked with a timer set to open on Friday the 23rd.
When it did unlock, many people were quite disappointed that the NCA have only released a small hint as to who they know the perpetrator to be.
One thing to note is that they say he has already engaged with law enforcement – It will be interesting to see how that pans out.
LockBit decryption keys
To illustrate how much access the teams have to the LockBit infrastructure, they have managed to obtain the unique decryption keys of many victims and are asking those affected to get in touch so that they can release the keys to unlock the encrypted data.
Working with partners in Japan, they have also released a decryptor utility which can be founnd via the No More Ransom website
https://www.nomoreransom.org/en/decryption-tools.html
Rewards for reporting
This page details the rewards on offer by the FBI for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group.
The rewards on offer are totaling up to $15 million USD.
https://www.state.gov/reward-offers-for-information-on-lockbit-leaders-and-designating-affiliates
US Indictments
This page details the indictment of Russian nationals Artur Sungatov, and Ivan Kondratyev (A.K.A. Basterlord)
https://lockbitvictims.ic3.gov/
https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
https://www.justice.gov/opa/pr/man-charged-participation-lockbit-global-ransomware-campaign
Since the release of these names, a number of users online have performed some OSINT to try to identify Ivan Kondratyev (Basterlord)
One user on X (@fs0c131y) has conducted an indepth probe into basterlord and has uncovered numerous details about them including a number of online profiles linked to the email address sinner4iter@gmail.com which is the address identified in the US indictment.
The email for this user account was included in a data leak from Twitter a few years ago which gives a Twitter ID of @lt9111
Another leak identifies a phone number tied to the same email address…
A further leak identifies an address in Ukraine…
Another account linked to the same email on the website ok.ru identifies the school the user attended, and a location where they live…
A user with the same name (Koyerd Uhvwi) is identified leaving a review of a dental clinic in Новомосковск…
This clinic is a few minutes walk from the location identified in the ok.ru profile
A search for the name Koyerd Uhvwi revelas a Youtube channel (https://www.youtube.com/@koyerduhvwi3798) where the owner posts a video of what appears to be themselves getting a LockBit Tattoo on their ankle.
More research uncovers a treasure trove of data relating to the same person…
A now deleted account on the Russian Social Media site vkontakte shows numerous photographs of basterlord…
He also has a profile on a dating site…
All this just goes to show that once something is on the Internet, it cannot be removed and someone, somewhere will put all the pieces together eventually.
US Sanctions
This page details the sanctions placed on the two previously mentioned Russian nationals
https://home.treasury.gov/news/press-releases/jy2114
FR Arrest warrants
This page outlines the arrest warrants issued by the French Judicial courts against 2 Russians and 1 Polish national.
Suspect arrested in Poland
This page details the arrest of the Polish suspect detailed earlier
https://cbzc.policja.gov.pl/bzc/aktualnosci/280,CBZC-w-miedzynarodowej-operacji-CRONOS.html
Suspect arrested in Ukraine
This page details the arrest of the 2 Russian nationals detailed earlier
Report Cyber Attacks
This page details various places where people can report cyber attacks to their law enforcement teams
Japanese LockBit Recovery Tool
This page details the decryptor utility created by Japanese police which people can use to recover data encrypted by LockBit3.0
Cyber Choices
This page sign-posts people to the Cyber Choices website which attempts to dissuade people from making bad cyber decisions and using their skills for badness, but to re-focus their skills into the world of cyber security instead
https://www.nationalcrimeagency.gov.uk/cyber-choices
Stealbit down!
This page gives an insight to the hard work done by the teams to infiltrate the LockBit infrastructure. Stealbit was LockBits primary exfiltration tool – the page states that the team at NCA had been working for months to reverse engineer this tool to understand how it functioned so that they could take it offline.
Affiliate infrastructure down
This page details the collaboration between multiple law enforcement agencies that allowed for the infiltration and takedown of LockBits network of servers
LockBit’s hackers exposed
For many, this page provided some juicy details regarding just how large LockBit’s reach was. This page detailed the 190+ affiliate accounts who worked with LockBit with a nice message to those criminals that law enforcement would be in touch very soon.
That’s 190+ people who will be having a very nervous few weeks and months ahead, just waiting for that 3am door-knock.
Prodaft
This page identifies one of the private companies who have been helping law enforcement in their work to take down LockBit. Prodaft have been working for years to try to identify LockBit activity in order to pre-warn potential victims
https://www.prodaft.com/opcronos
Account closures
This page details the 14,000+ accounts on various websites known to be used by LockBit and their affiliates – this will severely hamper those individuals from conducting further attacks, or hiding their activities.
LockBits new encryptor
This page details work undertaken by Trend Micro to disrupt the latest malware used by LockBit.
https://research.trendmicro.com/lockbit-blog
Secureworks
This page details the work undertaken by Secureworks to monitor numerous LockBit affiliates in an attempt to identify their Tactics, Techniques, and Procedures (TTPs) which can aid potential victims to detect the threats and mitigate against them.
LockBit Crypto
This page details the work undertaken to identify hundreds of cryptocurrency wallets used by LockBit and its affiliates which allowed law enforcement to seize the wallets and freeze any monies in them.
It is obvious that a huge amount of work has gone in to Op Cronos by many organisations all across the world. The dedication of those involved to put an end to this very well established criminal gang cannot be underestimated.
LockBit response to the takedown
In a statement to the vx-underground team, LockBit state that law enforcement only chose now to strike because LockBit had damaging data on US ex-president Donald Trump. However, many security researchers and experts suggest that the statement is simply a mix of bravado and fear from LockBit that their time is almost up.
According to some, LockBit has resurrected their infrastructure on a new .onion domain, but it remains to be seen if this will go the same way as the old one.
I’m certain that this is not the end of the LockBit saga, and more posts will be written throughout the year. But for now, time will tell on whether LockBit is truly over, and the clock is very much ticking.
