A hacker behind the LockBit ransomware site has boasted that its shutdown was because he got ‘very lazy after five years swimming in money’ as the gang claimed to be operating again a week after being taken down by ‘Britain’s FBI‘. 

The shadowy Russian-linked outfit was the target of an unprecedented international law enforcement operation last week which saw some of its members arrested and charged.

But after being taken down by an international coalition led by the National Crime Agency the cybercrime gang says it has restored its services and is back in business.

In a post on the dark web, Lockbit claimed it started to notice problems early in the morning of February 19, but things went back to normal. ‘I didn’t pay much attention to it, because for 5 years [sic] of swimming in money I became very lazy,’ they wrote.

Lockbit, which accounts for up to a quarter of ransomware attacks, has been causing havoc by hacking into computer systems and stealing sensitive data which it then threatens to release unless the victims pay an extortionate ransom.

Mikhail Pavlovich Matveev is one of five Russians charged over Lockbit, which has been described as the world's most dangerous ransomware gang

Mikhail Pavlovich Matveev is one of five Russians charged over Lockbit, which has been described as the world’s most dangerous ransomware gang 

LockBit's website was last week taken down. Visitors to the Lockbit website now see a message saying it is 'under the control of law enforcement'. But the hackers have now set up a new site

LockBit’s website was last week taken down. Visitors to the Lockbit website now see a message saying it is ‘under the control of law enforcement’. But the hackers have now set up a new site

The NCA had released a video revealing how the group operates

The NCA had released a video revealing how the group operates 

The Russian-speaking hackers make money by selling their services to fellow crime gangs, with targets including Royal Mail, the NHS, Porton Down and hundreds of companies in the UK and abroad.

Last week, the NCA, FBI, Europol and other policing agencies announced it had seized some of the group’s servers, stolen data and cryptocurrency addresses. 

Seven suspects have been arrested so far and five people have been charged, including two Russians, Mikhail Vasiliev, who is being held in Canada, and Ruslan Magomedovich Astamirov, who is in the US.

The remaining three – Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev – remain at large. The FBI is offering a $10million reward for information leading to the arrest of Matveev, who goes by the alias ‘Wazawaka”.

But the cybercriminals have refused to bow down to the authorities and have set up a new website on the dark web.

What is ransomware?

Cybercriminals mounting a ransomware attack first hack into a computer system before using ‘blockers’ to stop their victim accessing their device.

This may include a message telling them this is due to ‘illegal content’ such as porn being identified on their device.

Hackers then ask for a ransom to be paid, often in the form of Bitcoins or other untraceable cryptocurrencies, for the block to be removed.

In Lockbit’s case, the gang stole sensitive information and threatened to release it in public if no ransom was paid.  

In May 2017, a massive ransomware virus attack called WannaCry spread to the computer systems of hundreds of private companies and public organisations across the globe.

Releasing a lengthy statement, a member of the group said the FBI was able to seize its servers ‘due to my personal negligence and irresponsibility’.

The statement, posted in English and Russian, also said: ‘I relaxed and did not update PHP [website software] in time.

‘All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies.’ 

The latest website also posted what it claimed was new hacked data.

A spokesperson for the NCA, which led the international effort to seize Lockbit’s operations, said the group ‘remains completely compromised’.

‘We recognised Lockbit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues,’ the NCA said on Monday.

The new Lockbit darkweb site showed a gallery of company names, each attached to a countdown clock marking the deadline within which that company was required to pay ransom.

‘They want to scare me because they cannot find and eliminate me, I cannot be stopped,’ said the statement, which was presented as part of a mock-up leak from the FBI.

The statement also declared an intention to vote for Donald Trump in the US presidential election and offered a job to whoever hacked LockBit’s main site. 

The NCA previously called the group the ‘Rolls-Royce’ of ransomware and said it behaved like a ‘legitimate businesses’, with a ‘slick, easy to use’ website and marketing gimmicks including $1,000 for anyone who gets a tattoo of its logo.

Visitors to its Lockbit’s old website were greeted with a message revealing it is ‘under the control’ of the NCA, which targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol.

They said the ‘permissive environment’ in Russia allowed the group to operate – with gangsters never targeting nations in the former Soviet Union – but do not believe the the regime of Vladimir Putin was directly involved. 

Lockbit was recently revealed to have stolen secret military and defence material from the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons lab and a GCHQ listening post. This was then shared on the dark web.

Information about a specialist cyber defence site and some of Britain’s high security prisons was also stolen in the raid on Zaun, which makes fences for maximum security sites. 

British police targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol

British police targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol

A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire

A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire 

Lockbit either carries out attacks for its own gain or is paid by other criminal gangs

Lockbit either carries out attacks for its own gain or is paid by other criminal gangs 

Lockbit also hacked the Royal Mail Group in January and made ransom demands of £66million at the time. The company did not pay the extortionate fee but saw its services disrupted and had to spend £10million on anti-ransomware software. 

It has also been linked to attacks on international law firm Allen and Overy and China’s biggest bank, ICBC. 

NCA Director General, Graeme Biggar, last week said Lockbit had been the ‘most prolific’ ransomware group in the last four years, responsible for 25 per cent of attacks in the last year. 

He told a press conference in London that there were at least 200 victims in the UK and thousands abroad, leading to billions of pounds worth of damages – both in ransom payments and the cost of responding to attacks. 

‘We have hacked the hackers, taken control of their infrastructure and seized their source code,’ Mr Biggar said. 

‘We have arrested, indicted and sanctioned some of the perpetrators and gained intelligence on the criminals using the software – who we will now continue to pursue. 

‘As of today, Lockbit is effectively redundant – Lockbit has been locked out.’

Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.

He said: ‘LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.

‘That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.

‘Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.

‘They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.’

Q&A: How did ransomware group Lockbit make money and who were its targets? 

How does Lockbit operate?

Rather than conduct an entire criminal operation itself, Lockbit developed the malicious software – ‘ransomware’ – that enables attackers to lock victims out of their computers and networks.

Victims were then told to pay ransom in cryptocurrency in exchange for regaining access to their data. Those who did not pay risked having their data dumped on the dark web.

The ‘Lockbit’ ransomware was first observed in 2020, and made money through up-front payments and subscription fees for the software, or from a cut of the ransom, according to the US Cybersecurity & Infrastructure Security Agency (CISA).

The model is known as ‘Ransomware as a Service’, or RaaS.

Lockbit usually conducted itself as a professional enterprise, seeking feedback from customers – called ‘affiliates’ – and rolling out ransomware improvements.

‘Lockbit operates like a business. They run – or ran – a tight ship, which has enabled them to outlast many other ransomware operations,’ Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, said.

Lockbit is believed to have operated out of multiple locations, and cybersecurity experts say its members were Russian speakers.

How lucrative is ransomware?

In 2023, extortions by ransomware groups exceeded $1 billion in cryptocurrency for the first time, according to data published this month by blockchain firm Chainalysis.

Lockbit has targeted more than 2,000 victims worldwide, receiving more than $120 million in ransom, the US Department of Justice said Tuesday.

These potentially huge payouts have emboldened cybercriminals.

‘Awash with money, the ransomware ecosystem surged in 2023 and continued to evolve its tactics,’ the cybersecurity firm MalwareBytes said in a report published this month.

‘The number of known attacks increased 68 percent, average ransom demands climbed precipitously, and the largest ransom demand of the year was a staggering $80 million.’

That demand came after a LockBit attack severely disrupted Britain’s post operator Royal Mail for weeks.

Who are Lockbit’s victims?

Lockbit ransomware has been used against a wide variety of targets, from small businesses and individuals to huge corporations.

It was used ‘for more than twice as many attacks as its nearest competitor in 2023’, according to MalwareBytes.

The group has gained notoriety and attention from law enforcement agencies after high-profile attacks such as the one on Royal Mail.

Last November, it was blamed for an attack on the US arm of the Industrial and Commercial Bank of China (ICBC) – one of the biggest financial institutions in the world – as well as US aerospace giant Boeing.

In 2022, a Lockbit affiliate attacked the Hospital for Sick Children in Toronto, Canada, disrupting lab and imaging results. LockBit reportedly apologised for that attack.

‘Although Lockbit developers have created rules stipulating that their ransomware will not be used against critical infrastructure, it is clear that Lockbit affiliates largely disregard these rules,’ Stacey Cook, an analyst at the cybersecurity firm Dragos, wrote in a report published last year.

‘Lockbit developers do not appear to be overly concerned with holding their affiliates accountable.’

Who is fighting back, and how?

Lockbit’s growing visibility and its affiliates’ increasing attacks meant law enforcement agencies ramped up their efforts to win this cat-and-mouse game.

An alliance of agencies from 10 nations, led by Britain’s National Crime Agency, on Tuesday said they had disrupted LockBit at ‘every level’ in an effort codenamed ‘Operation Cronos’.

Europol said 34 servers in Europe, Australia, the United States and Britain were taken down and 200 Lockbit-linked cryptocurrency accounts were frozen.

The NCA said the action had compromised Lockbit’s ‘entire criminal enterprise’.

‘This likely spells the end of LockBit as a brand. The operation has been compromised and other cybercriminals will not want to do business with them,’ Emsisoft’s Callow said. 

But in recent years, cybersecurity experts have detected ransomware groups that suspended operations following law enforcement action only to re-emerge under different names.

‘Our work does not stop here. LockBit may seek to rebuild their criminal enterprise,’ NCA Director General Graeme Biggar said in a statement.

‘However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.’

Post source: Daily mail

You May Also Like

Plastic surgeon praised by Sarah Ferguson has also been hailed as ‘incredible’ by Prince William 

The award-winning plastic surgeon praised by Sarah Ferguson has also previously been…

The only son of novelist Graham Greene, 85, killed himself in the grounds of his Devon home

The only son of novelist Graham Greene, 85, killed himself in the…

Do YOU know what’s in your food? Take our healthy eating quiz

Do you really know what’s in your food? Take DailyMail.com’s surprisingly difficult…

COVID-19: Retired health manager unprepared for what she saw at Residence Herron, coroner hears

A coroner’s inquest into deaths at a suburban Montreal long-term care home…