FBI/allies seize dark-web site of world’s most prolific ransomware gang

The FBI and its international allies have seized a dark-web site that the world’s most prolific ransomware gang has used to extort its victims, according to a message on the website viewed by CNN.

It’s a blow to the near-term operations of a multinational ransomware gang known as LockBit, which has been a menace to organizations all over the world, including health care providers in the US. The hackers claimed credit for a November ransomware attack that forced New Jersey-based Capital Health to cancel some patient appointments.

LockBit also claimed responsibility for ransomware attacks on the Industrial and Commercial Bank of China and Fulton County, Georgia, in recent months.

“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation,” says a message posted on the hackers’ website on Monday, along with the seals of the FBI, UK National Crime Agency (NCA) and a host of other law enforcement agencies from Australia to Germany.

On Tuesday morning, US and UK authorities revealed a fuller picture of the crackdown against LockBit: the NCA and FBI said they had developed software that could let “hundreds” of victims worldwide decrypt computers locked by the hackers.

Two LockBit operatives were arrested in Poland and Ukraine at the request of French authorities, Europol, the EU’s law enforcement agency, said without naming the two people.

Separately, the US Justice Department announced the indictment of two Russian men, Ivan Gennadievich Kondratiev and Artur Sungatov, for deploying LockBit ransomware against victim organizations throughout the US, including against unnamed manufacturing firms. The Treasury Department also announced sanctions against Kondratiev and Sungatov

But it’s unclear if they will ever see the inside of a US courtroom. Kondratiev is in Russia, the Treasury Department said. The department did not identify a location for Sungatov.

The US and Russia do not have an extradition treaty, and bilateral cooperation on cybercrime is even lower than usual given tensions over Russia’s war in Ukraine.

LockBit has targeted more than 2,000 victims and received more than $120 million in ransom payments, the Justice Department said in a statement.

The NCA statement suggested a long-running infiltration of LockBit, allowing law enforcement to acquire the hackers’ “source code,” or the secret nuts and bolts of a software program that make it function.

Seizing a ransomware group’s dark-web site forces cybercriminals to set up new computer infrastructure to extort victims. It can also signal deeper law enforcement access to the hackers’ networks. In another operation against a ransomware gang announced a year ago, the FBI said it had access to decryption software that saved victims about $130 million in ransom payments.

Analysts believe LockBit has members or criminal partners in Eastern Europe, Russia and China. Like other cash-flush ransomware groups, LockBit rents out its ransomware to “affiliates,” who use the malicious code in attacks, then takes a cut of the ransom paid out by victims.

LockBit’s ransomware has been rampant in the last year — far outpacing other variants of ransomware, according to private experts. LockBit accounts for a quarter of the ransomware market based on victim information the hackers have posted online, according to Don Smith, vice president of threat research at cybersecurity firm Secureworks.

Government and private investigators all over the world will be scrutinizing LockBit’s next moves. Well-resourced ransomware groups often rebuild their computer infrastructure after law enforcement disruptions — and rename their hacking tools in an effort to limit reputational damage in the criminal underworld.

This operation is the latest move in a multi-year struggle between the FBI and its allies around the world and ransomware gangs that are often based in Eastern Europe and Russia.

While there have been notable arrests and law enforcement seizures of millions of dollars’ worth of ransom payments, the ransomware economy continues to thrive.

Cybercriminals extorted a record $1.1 billion in ransom payments from victim organizations around the world last year despite US government efforts to cut off their money flows, crypto-tracking firm Chainalysis estimated.

“It is highly unlikely core members of the LockBit group will be arrested as part of this operation, since they are based in Russia,” Allan Liska, a ransomware expert with cybersecurity firm Recorded Future, told CNN.

Nonetheless, he said, the law enforcement seizure of LockBit’s website “means there will be a significant, if short lived, impact on the ransomware ecosystem and a slow-down in attacks,” Liska said.

“LockBit has also developed a reputation as one of the most ruthless ransomware operators, encouraging affiliates to target hospitals and schools,” he added. “My hope is that these sectors will get some breathing room to build their defenses.”