News

Dark web site run by ransomware cybergang Lockbit that was behind high-profile hacking of Royal Mail is seized in joint sting by the National Crime Agency and FBI


The world’s most dangerous ransomware gang behind damaging cyber attacks on countless targets including Royal Mail, Porton Down and a nuclear submarine base has been taken down in a ‘highly significant’ global operation led by ‘Britain’s FBI‘.

The notorious Lockbit group makes money by hacking into computer systems and stealing sensitive data, which it threatens to release unless a huge ransom is paid. It has been linked to Russia but claims to be apolitical and ‘only interested in money’.

Visitors to its website now see a message revealing it is ‘now under control’ of The National Crime Agency, which targeted the site as part of a taskforce that includes the FBI, Europol and more than a dozen other global police agencies.

Lockbit was recently revealed to have stolen secret military and defence material from the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons lab and a GCHQ listening post. This was then shared on the dark web.

Information about a specialist cyber defence site and some of Britain’s high security prisons was also stolen in the raid on Zaun, a provider of fences for maximum security sites.

Visitors to the Lockbit website now see a message saying it is 'under the control of law enforcement'

Visitors to the Lockbit website now see a message saying it is ‘under the control of law enforcement’ 

Lockbit also hacked the Royal Mail Group in January and made ransom demands of £66million at the time. The company did not pay the extortionate fee but saw its services disrupted and had to spend £10million on anti-ransomware software.

Representatives from the NCA and FBI today confirmed that they had disrupted the gang and said the operation was ‘ongoing and developing’. 

Lockbit either carries out attacks for its own gain or is paid by like-minded criminal groups.

What is ransomware?

Cybercriminals mounting a ransomware attack first hack into a computer system before using ‘blockers’ to stop their victim accessing their device.

This may include a message telling them this is due to ‘illegal content’ such as porn being identified on their device.

Hackers then ask for a ransom to be paid, often in the form of Bitcoins or other untraceable cryptocurrencies, for the block to be removed.

In Lockbit’s case, the gang stole sensitive information and threatened to release it in public if no ransom was paid.  

In May 2017, a massive ransomware virus attack called WannaCry spread to the computer systems of hundreds of private companies and public organisations across the globe.

The group accounted for 23 per cent of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks. 

The group was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia.

It has not professed support for any government, however, and no government has formally attributed it to a nation-state.

On its now-defunct dark web site, Lockbit said it was ‘located in the Netherlands, completely apolitical and only interested in money’.

Officials in the United States, where the group has hit more than 1,700 organisations in nearly every industry from financial services and food to schools, transportation and government departments, have described it as the world’s top ransomware threat.

‘They are the Walmart of ransomware groups, they run it like a business – that’s what makes them different,’ said Jon DiMaggio, chief security strategist at Analyst1, a US-based cybersecurity firm. ‘They are arguably the biggest ransomware crew today.’

In November last year, Lockbit published internal data from Boeing, one of the world’s largest defence and space contractors.

Lockbit said in a statement in Russian and shared on Tox, an encrypted messaging app, that the FBI hit its servers that run on the programming language PHP. The statement added that it has backup servers without PHP that ‘are not touched’.

On X, screenshots showed a control panel used by Lockbit’s affiliates to launch attacks had been replaced with a message from law enforcement.

‘We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more’, the message said. ‘We may be in touch with you very soon. Have a nice day’.

A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire

A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire 

The post named other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany. 

Before it was taken down, Lockbit’s website displayed an ever-growing gallery of victim organisations that was updated nearly daily.

Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.

Yesterday, Lockbit’s site displayed a similar countdown, but from the law enforcement agencies who hacked the hackers: ‘Return here for more information at: 11:30 GMT on Tuesday 20th Feb.,’ the post said.

Don Smith, vice president of Secureworks, an arm of Dell Technologies (DELL.N), opens new tab, said Lockbit was the most prolific and dominant ransomware operator in a highly competitive underground market.

‘To put today’s takedown into context, based on leak site data, Lockbit had a 25% share of the ransomware market. Their nearest rival was Blackcat at around 8.5%, and after that it really starts to fragment,’ Smith said.

‘Lockbit dwarfed all other groups and today’s action is highly significant.’

The Lockbit attack on HMNB Clyde, Porton Down and GCHQ was revealed in September. 

MPs warned that any information which gives security information to the UK’s enemies was of huge concern.

Lockbit either carries out attacks for its own gain or is paid by other criminal gangs

Lockbit either carries out attacks for its own gain or is paid by other criminal gangs 

A defence source said the hack was being taken ‘very seriously’ but it was not thought any information was stolen that presented a real threat to national security, and there were currently no ransom demands as the hacked data had already been published.

The leak also included information about security equipment at RAF Waddington in Lincolnshire, where the MQ-9 Reaper attack drones squadron is based, and Cawdor Barracks, which has specialist electronic warfare regiments.

And documents relating to high security prisons including Category A Long Lartin in Worcestershire and Whitemoor in Cambridgeshire were also stolen in the hack.

Lockbit are thought to have been behind as many as 1,400 cyber-attacks globally and brought Japan’s busiest cargo port to a shuddering halt in July after attacking the system that manages the movement of containers.

Russian national Magomedovich Astamirov has been charged in the US for ‘involvement in deploying numerous LockBit ransomware and other attacks in the US, Asia, Europe, and Africa’.

And last year the US announced charges against Russian-Canadian Mikhail Vasiliev, who is being held in Canada awaiting extradition.

Another Russian, Mikhail Pavlovich Matveev, is wanted for alleged participation in other Lockbit attacks.

Ransomware is the costliest and most disruptive form of cybercrime, crippling local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice. 

Law enforcement agencies have scored some recent successes against ransomware gangs, most notably the FBI’s operation against the Hive syndicate. But the criminals regroup and rebrand.

The NCA has previously warned that ransomware remains one of the biggest cyber threats facing the UK, and urges people and organisations not to pay ransoms if they are targeted.



Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button