Close Menu
    Trending
    More

    The Lockbit Ransomware Gang's Origins, Tactics and Past Goals – and What's Next for the Police Hack | UK News

    ZEMS BLOGBy No Comments7 Mins Read

    A notorious cybercrime gang has been disrupted by the National Crime Agency (NCA) and an alliance of international police agencies.

    Lockbit and its affiliates have hacked some of the world's largest organizations in recent months, but as of Monday, their extortion site… Displays a message Saying it is “under the control of the UK National Crime Agency”.

    five Charges have been brought against Russian citizens.

    But what is Lockbit, what are its criminal tactics, and who has fallen victim to it? Here's what we know…

    What Lockbit does

    The gang makes money by stealing sensitive data and threatening to leak it if victims fail to pay a hefty ransom.

    Its affiliates are like-minded criminal groups recruited to launch attacks using Lockbit's digital extortion tools.

    US officials described Lockbit as the world's biggest ransomware threat. The group has hit organizations in almost every industry; From financial services and food to schools, transportation and government departments.

    The gang caused billions of pounds, dollars and euros in losses, both in ransom payments and recovery costs, according to the UK's National Cyber ​​Security Center (NCSC).

    As of Monday, Lockbit's website offers a growing gallery of victim organizations that is updated almost daily.

    Next to their names were digital clocks showing the number of days remaining until each organization's deadline to make the ransom payment.

    The FBI has deemed Lockbit Ransomware responsible for at least 1,700 attacks in the United States alone.

    What are the group's tactics?

    The National Cyber ​​Security Center and the US Cyber ​​Defense Agency (ACDA) shed some light on Lockbit's tactics last year, as it became “the most widespread ransomware worldwide.”

    in Extensive consultation on mitigationThey described how Operation Lockbit uses a “ransomware-as-a-service” model where cybercriminals sell access to their ransomware variant to unconnected affiliates and provide them with support in carrying out attacks.

    He also highlighted the risk of double extortion, a common tactic used by ransomware actors where they encrypt a victim's system and extract information, threatening to spread it online unless a ransom is paid.

    Lockbit strategies are, of course, incredibly complex, but here are some highlights summarized from the ACDA advisory:

    • It contains three main strains: Lockbit, Lockbit Red, and Lockbit Black, the latter of which is the featured ransomware of the group. It encrypts computer files and demands payment in hard-to-trace cryptocurrencies in exchange for decrypting them
    • Not only does Lockbit's core suite allow affiliates to use its ransomware, it allows those affiliates to receive ransom payments directly before sending a share to the core suite. This is in stark contrast to similar groups, which tend to pay themselves before affiliates
    • Its ransomware is kept simple with a point-and-click interface, making it accessible to a wide range of cybercriminals – even those with a lower degree of technical skills.

    Essentially, Lockbit keeps things as simple as possible for potential affiliates, because the more criminals it appeals to, the more cuts the core group of indirect extortion cases gets.

    But the group's tactics go deeper, according to ACDA, mainly advertising through methods such as:

    • Disparaging other similar groups in online forums to make Lockbit look like the best ransomware on the market
    • Paying people to get Lockbit tattoos
    • A reward of $1 million (£794,163) has been put in place for information regarding the true identity of the Lockbit leader, who goes by the persona 'LockBitSupp'.

    What do we know about Lockbit's origins and motivations?

    The group said on its website that it “is located in the Netherlands, is completely apolitical and only cares about money.”

    But its malware was first discovered on Russian-language cybercrime forums in 2020, leading some security analysts to believe the gang was based in Russia.

    The group has since been detected around the world, and common targets include organizations in the UK, US, India and Brazil, according to cybersecurity firm Trend Micro.

    Please use Chrome browser for an easily accessible video player

    From December: Russian cyber attacks – what we know

    High profile cases

    With its worldwide reach, Lockbit has been in the news repeatedly since 2020.

    The most notable case in the United Kingdom came early last year when Royal Mail He experienced severe turmoil after a Lockbit attack.

    A Royal Mail investigation found that the gang infected machines that print customs labels for parcels sent abroad, leaving more than half a million parcels and letters stuck in limbo.

    The gang also threatened to publish the stolen data on the dark web, causing printers at the Royal Mail's Northern Irish distribution center to “spike” copies of the ransom note – a signature intimidation tactic of the gang.

    Royal Mail has asked customers to temporarily stop sending any export items while the NCSC helps it resolve the issue.

    Threats from car dealerships

    The previous year, Lockbit affiliates attempted to impose a $60m (£54m) ransom on UK car trading group Pendragon, but the company refused to pay, saying the hack had not affected its ability to operate and that it had “taken immediate steps to stop it”. “. Contain the incident.

    Children's Hospital is a stretch too far

    Another infamous incident occurred in December 2022 when Lockbit Ransomware was used to attack SickKids in Canada, causing the system to fail.

    Curiously, the core gang claimed to have released a free decryption tool for the hospital to use, saying a member had violated their “policies”.

    It said that affiliates are prohibited from encrypting medical institutions where attacks could lead to death.

    The security company hit

    In August last year, Lockbit hackers allegedly obtained top-secret security information about some of the country's most sensitive military sites, including the HMNB Clyde nuclear submarine base on the west coast of Scotland and the Porton Down chemical weapons laboratory, according to the Sunday Mirror.

    Thousands of pages of data have been leaked to the dark web after private security firm Zaun was targeted.

    The company, which provides security fencing for sites linked to the Ministry of Defence, confirmed in a statement that it had been the victim of a “sophisticated cyberattack.”

    A Zaun spokesperson added that it had taken “all reasonable measures to mitigate any attacks on our systems” and explained that it had referred the matter to the NCSC.

    Latest big issue

    There were reports of Lockbit activity just last week, when Indian company Motilal Oswal Financial Services said it detected malicious activity on some employees' computers.

    The company said it addressed the problem within an hour, adding that its operations were not affected.

    “This incident did not impact any of our business operations and IT environment. It is business as usual,” the company, valued at about $15.3 billion, told Reuters.

    What happens now that NCA has acquired Lockbit?

    The full post on the Lockbit website that appeared on Monday says: “This website is now under the control of the UK National Crime Agency, operating in close cooperation with the FBI and the international law enforcement task force, ‘Operation Kronos.’”

    X

    This content is provided by X, which may use cookies and other technologies. In order to show you this content, we need your permission to use cookies. You can use the buttons below to adjust your preferences to enable it X Cookies or allow these cookies only once. You can change your settings at any time via the privacy options.

    Unfortunately, we were unable to verify whether you agreed to this X biscuit. To view this content you can use the button below to allow X Cookies for this session only.

    Enable cookies Allow cookies once

    Europol and other international police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany assisted in the rare law enforcement operation.

    A spokesman for the National Crime Agency confirmed that the agency had disrupted the gang, and said that the operation was “continuous and evolving.”

    “NCA took control of Lockbit's core management environment, which enabled affiliates to build and execute the attacks, and the group's public leak site on the dark web, which they previously hosted and threatened to release data stolen from victims,” NCA added in a statement on Tuesday.

    “Instead, this site will now host a series of information exposing Lockbit's capability and operations, which the NCA will publish daily throughout the week.”

    The US Department of Justice announced that two defendants accused of using Lockbit to carry out ransomware attacks have been charged with criminal charges, are in custody and will face trial in the US.

    A Lockbit representative posted messages on an encrypted messaging app saying it had backup servers that were not affected by law enforcement actions.

    Source link

    Share.

    Related Posts

    Leave A Reply