National Crime Agency of the United Kingdom

International Cybersecurity Operation Takes Down Russian Cybercriminal Gang

Feb. 20, 2024
Sometimes the good guys win in cybersecurity.

The LockBit ransomware gang, responsible in recent history for cyberattacks on Toyota Motor Corp.’s primary shipping port in Japan, Boeing’s parts and distribution business and the German automotive group Continental, is practically neutralized thanks to a multinational law enforcement joint operation dubbed Operation Cronos.

The National Crime Agency of the United Kingdom, that coordinated the operation centered around hacking the gang’s server infrastructure, now controls the website used by LockBit to distribute stolen data. Authorities took down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the U.K. and U.S. and seized more than 200 crypto wallets. 

The LockBit gang used its custom namesake software in over 2,000 ransomware attacks and extorted more than $120 million in ransom payments according to the Justice Department. This is a major hit against cybercrime and good news for manufacturers, the most common ransomware targets for cybercriminal gangs like LockBit.

How Law Enforcement Beat LockBit

Two members of the gang, in Poland and Ukraine, are under arrest. French and U.S. law enforcement issued three international arrest warrants and five indictments targeting other LockBit members. U.S. Attorney General Merrick B. Garland announced today the operation’s success and new indictments on the Justice Department’s YouTube channel.

Europol (European Union Agency for Law Enforcement Cooperation) tells BleepingComputer that regulators have identified more than 14,000 accounts used by LockBit to seize and distribute data and marked those for removal.

Something like Operation Cronos requires a lot of time and effort and coordination between different government does and law enforcement, says Javvad Malik, lead security awareness advocate at KnowBe4.

Manufacturers Can Help Take Down Cybercriminals

As Malik suggests, law enforcement actions like Operation Chronos require a tremendous amount of intelligence gathering. While manufacturers may understandably be reticent to report ransomware attacks to authorities if the consequences are not material and therefore don’t have to be reported to the SEC, today’s announcement shows that the good guys can and do win. The ammunition to do so is also what the ransomware attackers steal: data.

“The earlier people report, the quicker the NCA and partners are able to assess new methodologies and limit the damage they can do to others,” reads the National Crime Agency statement posted today.

Avishai Avivi, CISO at SafeBreach, thinks Operation Cronos represents a significant victory in the battle against cybercrime and also a reminder of companies’ need to remain vigilant.

It's crucial to recognize that the tactics, techniques and procedures (TTPs) employed by LockBit are likely to be repurposed and reused by other malicious actors in the future. As such, proactive measures, including enhancing cybersecurity defenses, sharing threat intelligence, and implementing robust incident response plans, remain imperative to mitigate the evolving threat landscape of ransomware and other cyber threats,” says Avivi.

Tom Marsland, VP of technology at Cloud Range, agrees that information sharing between organizations makes successes like Operation Cronos possible. Even if LockBit is offline, however, not all and perhaps only a few individuals that made up the gang are under arrest.

The LockBit group, also known as Bitwise Spider, is a financially motivated group that has targeted countries on every continent, offering Ransomware-as-a-Service. They are a highly sophisticated group that requires extensive resources to infiltrate their infrastructure and take them offline. Thanks to the good work of law enforcement, they are down, but I predict they will come around in other forms in the future. Now that their TTPs have been fully realized, it will be difficult for them to operate at the level they previously held,” says Marsland.

A free decryption tool for the LockBit 3.0 ransomware software, based on the seizure of over a thousand decryption keys to recover encrypted files stolen by the gang, is also now available on the No More Ransom website.

Popular Sponsored Recommendations

Getting the Most From Integrated Business Planning: A Collection

Feb. 22, 2024
Through this series of articles, you’ll get a definitive look at the power of IBP and how to leverage that power.

Why Cybersecurity Maturity Model Certification (CMMC) is so important.

Dec. 14, 2022
Defense contractors face the very real threat of losing business if they are noncompliant with the Cybersecurity Maturity Model Certification (CMMC) standard. But what is it exactly...

Beat the odds. Optimize product costs. Mitigate supply chain issues.

Sept. 12, 2023
Leverage fact-based supplier negotiations. Enhance design. Get to market faster. Our comprehensive Should Cost Analysis guide shows you how.

SEC Cybersecurity Rules: What’s Your Regulatory Risk?

Feb. 27, 2024
Join us for an insightful exploration of the evolving cyber threat landscape, SEC rule implications, and collaborative strategies to secure critical IT and OT networks in the ...

Voice your opinion!

To join the conversation, and become an exclusive member of IndustryWeek, create an account today!