One of the world’s biggest criminal hacking gangs woke up on Tuesday to a startling discovery: law enforcement, after taking over their main website on Monday, were now threatening to reveal their personal details and data about their cybercrime organisation.
The group, Lockbit, had become notorious in cybercrime circles for using malicious software called ransomware to digitally extort victims, relying on underground marketing campaigns to boost its profile. At one point, Lockbit had promised US$1 000 to anyone who tattooed their logo on themselves, according to cybersecurity researchers.
The group’s ringleader, known by the online moniker LockbitSupp, had also become so confident in their own anonymity that, according to Britain’s National Crime Agency (NCA), they had promised $10-million to the first person who could find and unmask them.
The international law enforcement operation, which had posted on the extortion website on Monday that it had taken control, on Tuesday announced it had re-engineered Lockbit’s core online system — mimicking the countdown clock that Lockbit used in extortion attempts and posing its own $10-million challenge, according to a review of Lockbit’s darkweb site.
The core online system was re-engineered to target the hackers in the same way they had terrorised victims: with an advent calendar-like series of tiles, each marked with a countdown timer that, upon reaching zero, published stolen data.
Across the website’s front page, where victim names once stood, law enforcement agencies replaced the text and links with internal data obtained by hacking the hackers themselves.
Yearslong investigation
The resulting display was a smorgasbord of law enforcement action against Lockbit which included indictments, sanctions, a tool with which victims can decrypt their data, and a new countdown with two days left on the clock which asked: “Who is LockbitSupp? The $10 million question.”
Before it was taken down, Lockbit’s website had displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to the names were digital clocks showing the number of days left to the deadline given to each organisation to provide ransom payment.
The unique law enforcement operation was the result of a yearslong investigation by international police agencies and was designed to undermine the group’s credibility in the criminal underground, officials said.
Read: World’s largest ransomware gang nailed
“Lockbit’s affiliates should be very concerned right now, especially as law enforcement continues to make decryptors available to victims,” said Charles Carmakal, Mandiant Consulting’s chief technology officer.
The US has charged two Russian nationals with deploying Lockbit ransomware against companies and groups around the world. Police in Poland and Ukraine made two arrests.
Before it was seized by police, Lockbit was able to extort multiple hacking victims at the same time through its website, which listed breached companies next to the countdown timer.
Once the counter expired, the cybercriminals would often publish caches of stolen data from the victimised company – historically, these exposures included personal private information of customers, medical records, internal billing data and the communications of internal staff, among other things.
These leaks were intended to harm the reputation of victims and put them in legal jeopardy, experts said, netting Lockbit over $120-million in ransom payments.
Read: Ransomware attacks: how South African companies should respond
On Tuesday, Graeme Biggar, director-general of the NCA, told journalists that the true cost, including money spent by organisations and corporations scrambling to regain access to their networks and the impact on business, could amounted to losses totalling billions. — Christopher Bing and James Pearson, (c) 2024 Reuters