An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns. While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group's ‘.onion’ website displays a seizure banner containing the message "The site is now under the control of law enforcement." Authorities from 11 countries, Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the UK, and the US, alongside Europol participated in the joint exercise.[1]
See: https://redskyalliance.org/xindustry/what-s-wrong-with-my-sub
Malware research group VX-Underground, in a message posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP (CVE-2023-3824, CVSS score: 9.8) that could result in remote code execution.
Law enforcement agencies also left on a note on the affiliate panel, stating they are in possession of the "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," adding it was made possible due to LockBit's "flawed infrastructure."
LockBit, which emerged on 3 September 2019, has been one of the most active and notorious ransomware gangs in history, claiming more than 2,000 victims to date. It's estimated to have extorted at least $91 million from US organizations alone. According to data shared by cybersecurity firm ReliaQuest, LockBit listed 275 victims on its data leak portal in the fourth quarter of 2023, dwarfing all its competitors.
There is no update yet of any arrest or sanctions, but the development is a definite blow to LockBit's near-term operations and arrives two months after the BlackCat ransomware operation was dismantled by the US government.
See: https://redskyalliance.org/xindustry/the-new-cat-is-a-sphynx
The coordinated takedown also coincides with the arrest of a 31-year-old Ukrainian national for gaining unauthorized access to Google and online bank accounts of American and Canadian users by deploying malware and selling access to other threat actors on the dark web for financial gain.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2024/02/lockbit-ransomwares-darknet-domains.html
Comments