• eNewsletter Subscription
  • Operations Leadership Summit
  • Great Question Podcast
    • National Crime Agency of the United Kingdom
    lockbit_site_seizure_notice_hero
    1. Technology and IIoT
    2. Cybersecurity

    International Cybersecurity Operation Takes Down Russian Cybercriminal Gang

    Feb. 20, 2024
    Sometimes the good guys win in cybersecurity.

    The LockBit ransomware gang, responsible in recent history for cyberattacks on Toyota Motor Corp.’s primary shipping port in Japan, Boeing’s parts and distribution business and the German automotive group Continental, is practically neutralized thanks to a multinational law enforcement joint operation dubbed Operation Cronos.

    The National Crime Agency of the United Kingdom, that coordinated the operation centered around hacking the gang’s server infrastructure, now controls the website used by LockBit to distribute stolen data. Authorities took down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the U.K. and U.S. and seized more than 200 crypto wallets. 

    The LockBit gang used its custom namesake software in over 2,000 ransomware attacks and extorted more than $120 million in ransom payments according to the Justice Department. This is a major hit against cybercrime and good news for manufacturers, the most common ransomware targets for cybercriminal gangs like LockBit.

    How Law Enforcement Beat LockBit

    Two members of the gang, in Poland and Ukraine, are under arrest. French and U.S. law enforcement issued three international arrest warrants and five indictments targeting other LockBit members. U.S. Attorney General Merrick B. Garland announced today the operation’s success and new indictments on the Justice Department’s YouTube channel.

    Europol (European Union Agency for Law Enforcement Cooperation) tells BleepingComputer that regulators have identified more than 14,000 accounts used by LockBit to seize and distribute data and marked those for removal.

    Something like Operation Cronos requires a lot of time and effort and coordination between different government does and law enforcement, says Javvad Malik, lead security awareness advocate at KnowBe4.

    Share Your Opinions on Manufacturing Technology

    IndustryWeek is in the midst of our annual technology survey. We'd love to hear your thoughts on how well technology suppliers are supporting manufacturing and what's working (and not working) with your tech investments. People who complete the survey will enter a drawing for one of two $50 Amazon gift cards. Please take some time and share your thoughts

    “Imagine LockBit as a highly secretive club that operates in the digital underworld. … The FBI, NCA, Europol and other international partners, have been quietly investigating LockBit. They've been gathering intelligence, tracking their activities, and plotting a way to infiltrate their networks without being detected.

    "After finding a weakness, law enforcement managed to sneak into LockBit’s digital fortress. … Once inside, the law enforcement agencies took over LockBit's systems. This is like dashing into the club’s headquarters, locking the owners out, and taking control of everything inside—computers, documents, and all the stolen goods.

    "Arrests have been made, and financial assets linked to LockBit frozen, showcasing the global effort in dismantling this group's operations. The message is clear: no cybercriminal is beyond the reach of the law,” says Malik.

    Manufacturers Can Help Take Down Cybercriminals

    As Malik suggests, law enforcement actions like Operation Chronos require a tremendous amount of intelligence gathering. While manufacturers may understandably be reticent to report ransomware attacks to authorities if the consequences are not material and therefore don’t have to be reported to the SEC, today’s announcement shows that the good guys can and do win. The ammunition to do so is also what the ransomware attackers steal: data.

    “The earlier people report, the quicker the NCA and partners are able to assess new methodologies and limit the damage they can do to others,” reads the National Crime Agency statement posted today.

    Avishai Avivi, CISO at SafeBreach, thinks Operation Cronos represents a significant victory in the battle against cybercrime and also a reminder of companies’ need to remain vigilant.

    It's crucial to recognize that the tactics, techniques and procedures (TTPs) employed by LockBit are likely to be repurposed and reused by other malicious actors in the future. As such, proactive measures, including enhancing cybersecurity defenses, sharing threat intelligence, and implementing robust incident response plans, remain imperative to mitigate the evolving threat landscape of ransomware and other cyber threats,” says Avivi.

    Tom Marsland, VP of technology at Cloud Range, agrees that information sharing between organizations makes successes like Operation Cronos possible. Even if LockBit is offline, however, not all and perhaps only a few individuals that made up the gang are under arrest.

    The LockBit group, also known as Bitwise Spider, is a financially motivated group that has targeted countries on every continent, offering Ransomware-as-a-Service. They are a highly sophisticated group that requires extensive resources to infiltrate their infrastructure and take them offline. Thanks to the good work of law enforcement, they are down, but I predict they will come around in other forms in the future. Now that their TTPs have been fully realized, it will be difficult for them to operate at the level they previously held,” says Marsland.

    A free decryption tool for the LockBit 3.0 ransomware software, based on the seizure of over a thousand decryption keys to recover encrypted files stolen by the gang, is also now available on the No More Ransom website.

    Continue Reading

    Popular Sponsored Recommendations

    Voice your opinion!

    To join the conversation, and become an exclusive member of IndustryWeek, create an account today!