LockBit gang data leaked on own dark web site as NCA, FBI release new details

The threat group’s site was taken down yesterday (20 February 2024) by international law enforcement agencies, led by the NCA alongside the FBI. Other agencies included the Australian Federal Police (AFP), Europol, the French Gendarmerie Nationale, the Finnish Poliisi, and the German Bundeskriminalamt.

Now, the NCA has disclosed details of “Operation Cronos”, the takedown operation that saw LockBit’s leak site seized.

“The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims,” wrote the NCA.

“Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.”

True to its word, the NCA has taken control of the threat actor’s leak site and followed its design language to display facts and information regarding the takedown of the group, with some posts even including a ransom payment-style countdown timer, such as the “Closure” tab, which suggests the whole site will be taken down in four days at the time of writing.

Interestingly, the dates of the posts state the data was uploaded on 26 January and then updated on 7 February, suggesting that law enforcement agencies had access to LockBit’s back end for some time prior to the takeover.

Information on the site includes links to EU, US and UK press releases, a Japanese-developed recovery tool, decryption keys, screenshots of chats between the threat actor and victims, and other back-end leaks.

It also provides information on some of the other actions of Operation Cronos, including sanctions, indictments, and arrests.

VIEW ALL

Two individuals were reportedly arrested according to the seized leak site, with one in Poland at the request of French judicial authorities and one in Ukraine.

Five Russian nationals in total have been indicted by the US for the use of the LockBit ransomware variant, with the indictments of Ivan Kondratyev (aka “Bassterlord”) and Artur Sungatov most recently unsealed.

“Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of LockBit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes,” said US Attorney Philip R. Sellinger for the District of New Jersey.

“And, even with today’s disruption of LockBit, we will not stop there. Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership – from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”

The two have also been sanctioned by the US Office of Foreign Assets Control (OFAC), which “imposes sanctions on threat actors responsible for malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States”.

Formerly, three other members were indicted, starting with Mikhail Vasiliev in November 2022, Mikhail Pavlovich Matveev (aka “Wazawaka”) in May 2023, and Ruslan Magomedovich Astamirov in June 2023.

The US Department of Justice is advertising a US$10 million reward (roughly A$15.4 million) for information leading to the arrest of Matveev through the US Department of State’s Transnational Organized Crime Rewards Program.

Two defendants have also been criminally charged for the use of LockBit and are in custody and set to face trial in the US.

“The agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world,” the NCA release continued.

“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data.

“Over the last 12 hours, this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.”

Two hundred cryptocurrency accounts linked to LockBit have also been frozen.

The NCA has announced that it will assist UK victims, having obtained over 1,000 decryption keys.

The FBI and Europol will be supporting victims in their jurisdictions.

“This NCA-led investigation is a groundbreaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners,” wrote the director general of the NCA, Graeme Biggar.

“Through our close collaboration, we have hacked the hackers, taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and, most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious, and we will not stop in our efforts to target this group and anyone associated with them.”

Additionally, law enforcement and government leaders are saying that this is a significant step in dismantling cyber crime internationally but that the fight is not over.

“Today’s actions are another down payment on our pledge to continue dismantling the ecosystem fueling cyber crime by prioritising disruptions and placing victims first,” said US Deputy Attorney-General Lisa Monaco.

“Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs.

“But our work does not stop here: together with our partners, we are turning the tables on LockBit – providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe.”

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.