Cybercrime: Links between Lockbit and Russian syndicate uncovered

Published on October 1, 2024

The Cronos investigative group around the British NCA and the US Department of Justice has reported further success in the fight against the Lockbit ransomware gang. The prosecutors published details of arrests, seizures and sanctions in a press release and on a darknet leak site. In several places, investigators arrested Lockbit affiliates, i.e. independent criminals who were allowed to use the gang's software and infrastructure in return for a share of the ransom.

Advertisement

Arrests in France, Spain and the UK

In France, investigators caught a "major Lockbit player", according to the announcement. The person, whose personal data the French authorities did not publish, was apparently on vacation outside Russia and is now facing extradition to France. He is said to be one of the developers of the ransomware.

The British NCA has reported two arrests in connection with the ransomware gang in its home country. The suspects are accused of having participated in extortion and money laundering for the Lockbit gang - the investigators claim to have tracked down the men using the Lockbit data stolen in February.

The Spanish Guardia Civil, meanwhile, took action at Madrid airport: They arrested the operator of a "Bullet Proof Hoster" who had enabled the operation of Lockbit servers in its data center. The Guardia Civil confiscated a total of nine servers and thus obtained information about the gang and its operations.

Sanctions against Evil Corp

The investigators also claim to have exposed a member of an older cybercrime syndicate as a Lockbit "affiliate". Before becoming involved in the ransomware gang's activities, the Russian Aleksandr R. was active in "Evil Corp", a group based in Russia, like many Lockbit members. Evil Corp had developed the malware Dridex and BitPaymer and used it in attacks.

Advertisement

For five years, several members of the group have been wanted by the US government with seven-figure rewards, and today the US Department of Justice has brought charges against him - for his involvement in cyber attacks. Together with Great Britain and Australia, the US government has also imposed economic sanctions on seven members of Evil Corp and two alleged front companies of the criminal gang.

Lockbit activities have decreased

Meanwhile, the Lockbit gang's darknet leak sites are still online, so the NCA has not been able to get hold of them. Instead, it used an older site for its announcement, which it came across during the operation in February this year. Since then, investigators have repeatedly used the website on the Tor network to make announcements intended to sow distrust among gang members.

The remaining affiliates are still attacking organizations around the world with ransomware, but the volume of their attacks has shrunk significantly. In addition, the operators of the Lockbit leak sites were caught several times falsifying entries - probably to simulate activity. The investigators are writing this off as a success of "Operation Cronos": The past six months have not been good for Lockbit, the NCA said in a statement.

(cku)

Source: heise online