{"id":23983,"date":"2024-02-28T10:57:22","date_gmt":"2024-02-28T18:57:22","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/02\/28\/news-17713\/"},"modified":"2024-02-28T10:57:22","modified_gmt":"2024-02-28T18:57:22","slug":"news-17713","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/02\/28\/news-17713\/","title":{"rendered":"Law enforcement trolls LockBit, reveals massive takedown"},"content":{"rendered":"\n

In an act of exquisite trolling, the UK’s National Crime Agency (NCA) has announced further details about its disruption of the LockBit ransomware group<\/a> by using the group’s own dark web website.<\/p>\n

\"The
The LockBit dark web site has a new look<\/figcaption><\/figure>\n

Since the demise of Conti<\/a> in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world. In the last 12 months it has racked up more than two and half times as many known attacks as its closest rival. That all stopped yesterday, though, when the LockBit site was replaced with a banner decorated with the flags and badges of the countries and agencies that cooperated to “disrupt” it. The banner read:<\/p>\n

\n

This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, \u2018Operation Cronos\u2019.<\/p>\n<\/blockquote>\n

It also promised more information would be revealed today at 11:30 GMT. It didn’t disappoint. There was a press release<\/a>, of course, and a video:<\/p>\n

\n
\n
\n

The NCA reveals details of an international disruption campaign targeting the world\u2019s most harmful cyber crime group, Lockbit.<\/p>\n

Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com\/m00VFWkR9Z<\/a><\/p>\n

— National Crime Agency (NCA) (@NCA_UK) February 20, 2024<\/a><\/p><\/blockquote><\/div>\n<\/figure>\n

But the real treat was an updated version of the LockBit website that returned it to something resembling its former self. However, some crucial details had changed. Until yesterday, the secret dark web site was used to list details of the organizations being held to ransom by LockBit. Green squares represented companies whose data had been leaked. Timers on the red squares showed companies under threat of a leak just how long they had until their stolen data would be published.<\/p>\n

Not any more, though. <\/p>\n

In a graphic illustration of just how comprehensively the LockBit group has been compromised, the green squares now detail published information about the takedown, while red squares tease further reveals for the coming days.<\/p>\n

\n

Today, after infiltrating the group\u2019s network, the NCA has taken control of LockBit\u2019s services, compromising their entire criminal enterprise.<\/p>\n<\/blockquote>\n

As well as taking over the leak site, law enforcement agencies have taken over LockBit\u2019s administration environment, seized the infrastructure used by LockBit’s data exfiltration tool, Stealbit, captured over 1,000 decryption keys, and frozen 200 cryptocurrency accounts.<\/p>\n

\"LockBit
A screenshot from LockBit’s admin panel<\/figcaption><\/figure>\n

The group’s source code has also fallen into the hands of law enforcement, along with “a vast amount of intelligence” from its systems. Criminal affiliates who logged into the compromised environment were warned that the NCA knows all about their activities too, and the NCA reports that 28 servers belonging to LockBit affiliates have been taken down, too.<\/p>\n

Two “LockBit actors” have been arrested in Poland and Ukraine, and the US Department of Justice has announced that two defendants responsible for using LockBit in ransomware attacks have been charged, are in custody, and will face trial in the US. It also unsealed indictments against two Russian nationals, for conspiring to commit LockBit attacks. <\/p>\n

There are numerous reveals promised for the next few days, but the most tantalising is the imminent uncloaking of LockBit’s leader and spokesperson, LockBitSupp.<\/p>\n

\"Screenshot
The identity of Lockbitsupp won’t be a mystery for much longer<\/figcaption><\/figure>\n

The NCA could have put the information about the takedown anywhere, but it didn’t; it did something memorable, humorous, and deliberately humiliating with it. In other words, it mimicked perfectly the way that ransomware gangs troll the world and each other. In doing so, the NCA signaled that it knows all about LockBit and the broader community of criminals it belongs to. It knows that LockBit’s affiliates and rivals will be watching, and looking over their shoulder.<\/p>\n

Good times.<\/p>\n

How to avoid ransomware<\/h2>\n