In the wake of the comprehensive LockBit takedown by law enforcement agencies, the aftermath has been significant. Subsequent to the recent disruption of LockBit, law enforcement authorities have uncovered additional intelligence on the LockBit ransomware group and its network of affiliates, particularly concerning numerous Bitcoin addresses and financial assets.
After the arrest of Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord), the authorities have found a trove of 30,000 Bitcoin addresses associated with the LockBit ransomware and its affiliates.
This decisive move not only inflicts a substantial financial setback on cybercriminals but also sends a resounding message of deterrence to those lurking in the clandestine depths of the dark web.
The LockBit takedown campaign, known as Operation Cronos, marks a crucial step in the ongoing efforts to dismantle cybercriminal networks. With 193 affiliates implicated at the time of the seizure, the scale of LockBit’s operations comes into stark relief.
Notably, LockBit was also associated with other threat actors and groups, such as Evil Corp and FIN7, also known as Carbon Spider or Sangria Tempest.
The LockBit Takedown: Operation Cronos’ Global Security Action Plan
Through Operation Cronos, insights into the workings of LockBit and its affiliates have emerged, shedding light on the vast profits accumulated over the years. A tweet from security researcher Dominic Alvieri offers a glimpse, revealing a post from the LockBit ransomware group’s extensive financial gains amassed during their four-year operation.
Furthermore, the affiliation of LockBit with various threat actors highlights the complex web of cybercriminal activity. EvilCorp, FIN7, and others are among the 11 threat actors associated with LockBit, emphasizing the interconnected nature of dark web actors.
The National Crime Agency, working with Operation Cronos, has conducted a crypto chain analysis on the LockBit ransomware group, revealing insights into their operation. From LockBit’s systems, approximately 30,000 BTC addresses were obtained, with over 500 of them actively transacting on the blockchain.
The collective value of these transactions exceeds £100 million at the current BTC valuation, with over 2,200 BTC remaining unspent, totaling over £90 million.
These funds consist of payments from both victims and LockBit affiliates, with a notable portion representing the 20% fee paid to LockBit. Consequently, the actual ransom payments are substantially higher than initially estimated.
These funds comprise both victim payments and LockBit’s fees, with actual ransom payments likely far surpassing these figures.
LockBit Members Arrested But They Beg to Differ
This news follows recent developments in the crackdown on LockBit cybercrime activities. Ukraine’s arrest of a father-son duo linked to LockBit highlights international cooperation in combating cyber threats. Similarly, the United States has brought charges against two Russian nationals for deploying LockBit ransomware tools globally, highlighting the widespread impact of criminal activities associated with LocKbit.
Despite these crackdowns, LockBit’s administration denies the legitimacy of the arrests, questioning the credibility of law enforcement agencies. Offering a substantial bounty for information on their members, LockBit challenges the investigative capabilities of authorities, signaling a defiant stance in the face of intensified scrutiny.
In essence, the takedown of LockBit and its affiliates represents a long awaited victory in the ongoing battle against cybercrime. However, as cybercriminals adapt and evolve, sustained collaboration and innovation will be crucial in staying one step ahead in the fight to safeguard digital ecosystems.
Fixing the Fallout: Authorities Offering Decrypters to Victims
Authorities are providing decryption tools to victims of the LockBit 3.0 ransomware attack. Upon accessing the designated site, users encounter a message indicating control by the UK, US, and Cronos Task Force, along with law enforcement agencies like the National Crime Agency and Europol.
The site features updates on investigations, including recent indictments by the FBI and sanctions imposed by the US against cyber threat actors. Additionally, a recovery tool developed in Japan is highlighted for accessing encrypted files, expanding Europol’s #Nomoreransom initiative.
Notably, a redirection ban is enforced on LockBit 3.0, while the authorities offer assistance in decryption and recovery. The site emphasizes reporting cyberattacks and provides insights into cyber choices. Recent activities in Poland and Ukraine are also documented. Overall, amidst ongoing law enforcement efforts and international cooperation, victims are encouraged to utilize available tools and resources to combat the LockBit 3.0 ransomware threat.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
