Random Image Display on Page Reload

LockBit digital gang disrupted by international law enforcement in ‘Operation Cronos’

LockBit, a notorious cybercrime gang that holds its victims' data to ransom, has been disrupted in a rare international law enforcement operation, according to a post on the gang's extortion website on Monday. Canada played a role in the operation.

Canada played a role in operation, according to post on LockBit's site

Close up of hands on a laptop keyboard. Green text, suggestive of lines of code, appear on the computer screen.

LockBit, a notorious cybercrime gang that holds its victims' data to ransom, has been disrupted in a rare international law enforcement operation by Britain's National Crime Agency, the U.S. Federal Bureau of Investigation, Europol and Canadian authorities, according to a post on the gang's extortion website on Monday.

"This site is now under the control of the National Crime Agency of the U.K., working in close co-operation with the FBI and the international law enforcement task force, 'Operation Cronos,'" the post said.

An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was "ongoing and developing."

The post named other international police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

LockBit and its affiliates have hacked some of the world's largest organizations in recent months. The gang makes money by stealing sensitive data and threatening to leak it if victims fail to pay an extortionate ransom. Its affiliates are like-minded criminal groups that are recruited by the group to wage attacks using LockBit's digital extortion tools.

The gang is believed to have played a role in the disruption of some Canadian companies, including the Indigo bookstore chain in March 2023, when a hacker group demanded a ransom for stolen employee data.

LockBit first had a presence in Canada in March 2020. Within two years, it was responsible for 22 cent of all attributed randomware incidents, according to a joint advisory issued by the Canadian Centre for Cyber Security last year.

Released in conjunction with cyber authorities from other countries, the advisory named LockBit the top ransomware threat.

Ransomware is malicious software that encrypts data. LockBit makes money by coercing its targets into paying a ransom to decrypt or unlock that data with a digital key.

Some believe LockBit based in Russia

LockBit was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums, leading some security analysts to believe the gang is based in Russia.

The gang has not professed support for any government, however, and no government has formally attributed it to a nation-state. On its now-defunct dark web site, the group said it was "located in the Netherlands, completely apolitical and only interested in money."

"They are the Walmart of ransomware groups. They run it like a business — that's what makes them different," said Jon DiMaggio, chief security strategist at Analyst1, a U.S.-based cybersecurity firm. "They are arguably the biggest ransomware crew today."

A screenshot of a web page shows LockBit 3.0 logos, the Indigo Books logo, and "Files are Published" but there are no links to download files.

LockBit has hit more than 1,700 organizations in nearly every industry, from financial services and food to schools, transportation and government departments in the United States. Those attacks collectively cost those organizations about $91 million US, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said last year.

In November last year, LockBit published internal data from Boeing, one of the world's largest defence and space contractors. In early 2023, Britain's Royal Mail faced severe disruption after an attack by the group.

'Highly significant'

Before it was taken down, LockBit's website displayed an ever-growing gallery of victim organizations that was updated nearly daily. Next to their names were digital clocks showing the number of days left to the deadline given to each organization to provide a ransom payment.

On Monday, LockBit's site displayed a similar countdown, but from the law enforcement agencies that hacked the hackers: "Return here for more information at: 11:30 GMT on Tuesday 20th Feb." the post said.

Don Smith, vice-president of Secureworks, an arm of Dell Technologies, said LockBit was the most prolific and dominant ransomware operator in a highly competitive underground market.

"LockBit dwarfed all other groups and today's action is highly significant," he said.

"LockBit's affiliates allegiances with the group were already fickle, and so whilst some may be dissuaded, unfortunately many will likely align with other criminal organizations."

But Ian L. Paterson, CEO of Plurilock Security, a B.C.-based cybersecurity company, said ransomware operators will now need to use other software.

After speaking with chief information security officers on Monday, he stressed that this disruption won't end attacks altogether.

"Most expect the bad guys to be back online in a matter of hours," he told CBC News.

"In the past, when we saw ransomware crews get disrupted, we saw the same people pop up, either in existing groups or re-form under a new name."

It's possible law enforcement has enough information to pursue individuals involved in previous attacks, he said.

With files from CBC News

Credit belongs to : www.cbc.ca

Check Also

Maryland just issued 175,000 pot pardons. Can Canada do the same?

Maryland’s governor issued 175,000 pardons for marijuana convictions in one fell swoop on Monday, as …