Law Enforcement Leaves Taunting Post For Lockbit Cyber Criminals
Police hackers left a taunting message telling criminals 'we may be in touch with you very soon, have a nice day' after locking a notorious ransomware gang out of their own website.
The National Crime Agency - known as 'Britain's FBI' - and other international partners, broke into LockBit, which was used in a quarter of all ransomware attacks last year.
On Monday evening, a message appeared on the Russia-based website stating it was 'now under control of law enforcement', with agencies posting a message directly addressing the hackers.
'We have the source code, details of the victims you have attacked, the amount of money extorted, the data stolen, bokep indo chats and much, much more,' it read. 'We may be in touch with you very soon. Have a nice day.'
Lockbit has been causing havoc by hacking into computer systems and stealing sensitive data which it then threatens to release unless the victims pay an extortionate ransom - with the group earning $120million (£95m).
The Russian-speaking hackers make money by selling their services to fellow crime gangs, with targets including Royal Mail, the NHS, Porton Down, a nuclear submarine base and hundreds of companies in the UK and abroad.
On X, screenshots showed a control panel used by Lockbit's affiliates to launch attacks had been replaced with a message from law enforcement. 'We may be in touch with you very soon. Have a nice day,' it said
Mikhail Pavlovich Matveev is one of five Russians charged over Lockbit, which has been described as the world's most dangerous ransomware gang
Visitors to the Lockbit website now see a message saying it is 'under the control of law enforcement'
The National Crime Agency called the group the 'Rolls-Royce' of ransomware and said it behaved like a 'legitimate businesses', with a 'slick, easy to use' website and marketing gimmicks including $1,000 for anyone who gets a tattoo of its logo.
Seven suspects have been arrested so far and five people have been charged, including two Russians, Mikhail Vasiliev, who is being held in Canada, and Ruslan Magomedovich Astamirov, who is in the US.
The remaining three - Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev - remain at large. The FBI is offering a $10million reward for information leading to the arrest of Matveev, who goes by the alias 'Wazawaka
Visitors to its Lockbit's homepage on the dark web now see a message revealing it is 'under the control' of The National Crime Agency, which targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol.
What is ransomware?
Cybercriminals mounting a ransomware attack first hack into a computer system before using 'blockers' to stop their victim accessing their device.
This may include a message telling them this is due to 'illegal content' such as porn being identified on their device.
Hackers then ask for a ransom to be paid, often in the form of Bitcoins or other untraceable cryptocurrencies, for the block to be removed.
In Lockbit's case, the gang stole sensitive information and threatened to release it in public if no ransom was paid.
In May 2017, a massive ransomware virus attack called WannaCry spread to the computer systems of hundreds of private companies and public organisations across the globe.
Advertisement
They said the 'permissive environment' in Russia allowed the group to operate - with gangsters never targeting nations in the former Soviet Union - but do not believe the the regime of Vladimir Putin was directly involved.
Lockbit was recently revealed to have stolen secret military and defence material from the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons lab and a GCHQ listening post. This was then shared on the dark web.
Information about a specialist cyber defence site and some of Britain's high security prisons was also stolen in the raid on Zaun, which makes fences for maximum security sites.
Lockbit also hacked the Royal Mail Group in January and made ransom demands of £66million at the time. The company did not pay the extortionate fee but saw its services disrupted and had to spend £10million on anti-ransomware software.
It has also been linked to attacks on international law firm Allen and Overy and China's biggest bank, ICBC.
Representatives from the NCA and FBI today confirmed that they had disrupted the gang and said the operation was 'ongoing and developing'.
NCA Director General, Graeme Biggar, said Lockbit had been the 'most prolific' ransomware group in the last four years, responsible for 25 per cent of attacks in the last year.
He told a press conference in London yesterday that there were at least 200 victims in the UK and thousands abroad, leading to billions of pounds worth of damages - both in ransom payments and the cost of responding to attacks.
'We have hacked the hackers, taken control of their infrastructure and seized their source code,' Mr Biggar said.
'We have arrested, indicted and sanctioned some of the perpetrators and gained intelligence on the criminals using the software - who we will now continue to pursue.
'As of today, Lockbit is effectively redundant - Lockbit has been locked out.'
The NCA released a video revealing how the group operates
The NCA has now seized Lockbit's site and is publishing information to aid victims
Paul Foster, head of the NCA's national cybercrime unit, said that LockBit's popularity was partly because it was so easy to use.
He said: 'LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.
'That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.
'Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.
'They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.'
Experts said that while LockBit may rebuild its network, the law enforcement action is a major setback.
Five defendants have been charged so far for launching ransomware attacks using Lockbit, including two Russian nationals.
Infrastructure supporting LockBit's tool that was used to steal data, known as StealBit, based in three countries, has been seized, together with 200 cryptocurrency accounts.
There are more than 200 victims in the UK and thousands internationally.
NCA investigators found that the gang behind the ransomware attacks did not always delete data when victims paid ransoms.
It said it has found more than 1,000 decryption keys held by the group and will be contacting UK-based victims to help them recover encrypted data.
Lockbit either carries out attacks for its own gain or is paid by so-called affiliates - made up of like-minded international gangsters.
British police targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol
The gang accounted for 23 per cent of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks.
The group was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia.
It has not professed support for any government, however, and no government has formally attributed it to a nation-state.
On its now-defunct site, Lockbit said it was 'located in the Netherlands, completely apolitical and only interested in money'.
Officials in the United States, where the group has hit more than 1,700 organisations in nearly every industry from financial services and food to schools, transportation and government departments, have described it as the world's top ransomware threat.