Login
There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. βALPHVβ) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Changeβs network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliateβs disclosure appears to have prompted BlackCat to cease operations entirely.
Image: Varonis.
In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.
On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.
The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a βransomware-as-serviceβ collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.
βBut after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,β the affiliate βNotchyβ wrote. βSadly for Change Healthcare, their data [is] still with us.β
Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement β that the company is focused on its investigation and on restoring services.
Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners theyβd stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.
On the bright side, Notchyβs complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.
BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.
However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.
The seizure notice now displayed on the BlackCat darknet website.
βThereβs no sense in making excuses,β wrote the RAMP member βRansom.β βYes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything thatβs happening and are trying to solve the issue with the transactions by using a higher fee, but thereβs no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.β
BlackCatβs website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCatβs network. The FBI has not responded to requests for comment.
Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an βexit scamβ on affiliates by withholding many ransomware payment commissions at once and shutting down the service.
βALPHV/BlackCat did not get seized,β Wosar wrote on Twitter/X today. βThey are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.β
Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCatβs exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.
βThe affiliates still have this data, and theyβre mad they didnβt receive this money, Smilyanets told Wired.com. βItβs a good lesson for everyone. You cannot trust criminals; their word is worth nothing.β
BlackCatβs apparent demise comes closely on the heels of the implosion of another major ransomware group β LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBitβs website was seized by the FBI and the U.K.βs National Crime Agency (NCA) following a months-long infiltration of the group.
LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.
But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton Countyβs data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.
Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the countyβs data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.
Smilyanetsβ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.
βIf we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,β LockBitβs extortion notes typically read.
Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.
The ransomware group LockBit told officials with Fulton County, Ga. they could expect to see their internal documents published online this morning unless the county paid a ransom demand. LockBit removed Fulton Countyβs listing from its victim shaming website this morning, claiming the county had paid. But county officials said they did not pay, nor did anyone make payment on their behalf. Security experts say LockBit was likely bluffing and probably lost most of the data when the gangβs servers were seized this month by U.S. and U.K. law enforcement.
The LockBit website included a countdown timer until the promised release of data stolen from Fulton County, Ga. LockBit would later move this deadline up to Feb. 29, 2024.
LockBit listed Fulton County as a victim on Feb. 13, saying that unless it was paid a ransom the group would publish files stolen in a breach at the county last month. That attack disrupted county phones, Internet access and even their court system. LockBit leaked a small number of the countyβs files as a teaser, which appeared to include sensitive and sealed court records in current and past criminal trials.
On Feb. 16, Fulton Countyβs entry β along with a countdown timer until the data would be published β was removed from the LockBit website without explanation. The leader of LockBit told KrebsOnSecurity this was because Fulton County officials had engaged in last-minute negotiations with the group.
But on Feb. 19, investigators with the FBI and the U.K.βs National Crime Agency (NCA) took over LockBitβs online infrastructure, replacing the groupβs homepage with a seizure notice and links to LockBit ransomware decryption tools.
In a press briefing on Feb. 20, Fulton County Commission Chairman Robb Pitts told reporters the county did not pay a ransom demand, noting that the board βcould not in good conscience use Fulton County taxpayer funds to make a payment.β
Three days later, LockBit reemerged with new domains on the dark web, and with Fulton County listed among a half-dozen other victims whose data was about to be leaked if they refused to pay. As it does with all victims, LockBit assigned Fulton County a countdown timer, saying officials had until late in the evening on March 1 until their data was published.
LockBit revised its deadline for Fulton County to Feb. 29.
LockBit soon moved up the deadline to the morning of Feb. 29. As Fulton Countyβs LockBit timer was counting down to zero this morning, its listing disappeared from LockBitβs site. LockBitβs leader and spokesperson, who goes by the handle βLockBitSupp,β told KrebsOnSecurity today that Fulton Countyβs data disappeared from their site because county officials paid a ransom.
βFulton paid,β LockBitSupp said. When asked for evidence of payment, LockBitSupp claimed. βThe proof is that we deleted their data and did not publish it.β
But at a press conference today, Fulton County Chairman Robb Pitts said the county does not know why its data was removed from LockBitβs site.
βAs I stand here at 4:08 p.m., we are not aware of any data being released today so far,β Pitts said. βThat does not mean the threat is over. They could release whatever data they have at any time. We have no control over that. We have not paid any ransom. Nor has any ransom been paid on our behalf.β
Brett Callow, a threat analyst with the security firm Emsisoft, said LockBit likely lost all of the victim data it stole before the FBI/NCA seizure, and that it has been trying madly since then to save face within the cybercrime community.
βI think it was a case of them trying to convince their affiliates that they were still in good shape,β Callow said of LockBitβs recent activities. βI strongly suspect this will be the end of the LockBit brand.β
Others have come to a similar conclusion. The security firm RedSense posted an analysis to Twitter/X that after the takedown, LockBit published several βnewβ victim profiles for companies that it had listed weeks earlier on its victim shaming site. Those victim firms β a healthcare provider and major securities lending platform β also were unceremoniously removed from LockBitβs new shaming website, despite LockBit claiming their data would be leaked.
βWe are 99% sure the rest of their βnew victimsβ are also fake claims (old data for new breaches),β RedSense posted. βSo the best thing for them to do would be to delete all other entries from their blog and stop defrauding honest people.β
Callow said there certainly have been plenty of cases in the past where ransomware gangs exaggerated their plunder from a victim organization. But this time feels different, he said.
βIt is a bit unusual,β Callow said. βThis is about trying to still affiliatesβ nerves, and saying, βAll is well, we werenβt as badly compromised as law enforcement suggested.β But I think youβd have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.β
Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the targetβs calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.
KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity weβll call him Doug.
Being in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The profile also linked to Mr. Leeβs Twitter/X account, which features the same profile image.
The investor expressed interest in financially supporting Dougβs startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, hereβs my Calendly profile, book a time and weβll do it then.
When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.
Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.
βSome of our users are facing issues with our service,β the message read. βWe are actively working on fixing these problems. Please refer to this script as a temporary solution.β
Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldnβt start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Dougβs follow-up messages.
It didnβt dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.
In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.
The file that Doug ran is a simple Apple Script (file extension β.scptβ) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding heβd been tricked β backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we donβt have the actual malware that was pushed to his Mac by the script.
But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers.
βWhen the project team clicks the link, they encounter a region access restriction,β SlowMist wrote. βAt this point, the North Korean hackers coax the team into downloading and running a βlocation-modifyingβ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.β
Image: SlowMist.
SlowMist says the North Korean phishing scams used the βAdd Custom Linkβ feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.
βSince Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,β the blog post explains. βConsequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.β
SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed βBlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group.
βA financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,β Kaspersky wrote of BlueNoroff in Dec. 2023.
The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from Recorded Future finds the Lazarus Group has stolen approximately $3 billion in cryptocurrency over the past six years.
While there is still far more malware out there today targeting Microsoft Windows PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include X-Protect, Appleβs built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.
βRecent updates to macOSβs XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,β security firm SentinelOne wrote in January.
According to Chris Ueland from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for Cryptowave Capital (cryptowave[.]capital).
In a statement shared with KrebsOnSecurity, Calendly said it was aware of these types of social engineering attacks by cryptocurrency hackers.
βTo help prevent these kinds of attacks, our security team and partners have implemented a service to automatically detect fraud and impersonations that could lead to social engineering,β the company said. βWe are also actively scanning content for all our customers to catch these types of malicious links and to prevent hackers earlier on. Additionally, we intend to add an interstitial page warning users before theyβre redirected away from Calendly to other websites. Along with the steps weβve taken, we recommend users stay vigilant by keeping their software secure with running the latest updates and verifying suspicious links through tools like VirusTotal to alert them of possible malware. We are continuously strengthening the cybersecurity of our platform to protect our customers.β
The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.
As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: If you didnβt go looking for it, donβt install it. Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.
On that last front, Iβve found itβs a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and Iβm one of those weird people who likes to review any changes to the software makerβs privacy policies or user agreements before choosing to install updates.
Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Leeβs real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.
If youβre approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.
Image: SlowMist.
Update: Added comment from Calendly.
The FBIβs takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the countyβs ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.
A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.
In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.
On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.
βWe will demonstrate how local structures negligently handled information protection,β LockBit warned. βWe will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizensβ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.β
Yet on Feb. 16, the entry for Fulton County was removed from LockBitβs site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.
However, Fulton County Commission Chairman Robb Pitts said the board decided it βcould not in good conscience use Fulton County taxpayer funds to make a payment.β
βWe did not pay nor did anyone pay on our behalf,β Pitts said at an incident briefing on Feb. 20.
Just hours before that press conference, LockBitβs various websites were seized by the FBI and the U.K.βs National Crime Agency (NCA), which replaced the ransomware groupβs homepage with a seizure notice and used the existing design of LockBitβs victim shaming blog to publish press releases about the law enforcement action.
The feds used the existing design on LockBitβs victim shaming website to feature press releases and free decryption tools.
Dubbed βOperation Cronos,β the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gangβs activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.
In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware groupβs leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.
βThe FBI decided to hack now for one reason only, because they didnβt want to leak information fultoncountyga.gov,β LockBitSupp wrote. βThe stolen documents contain a lot of interesting things and Donald Trumpβs court cases that could affect the upcoming US election.β
A screen shot released by LockBit showing various Fulton County file shares that were exposed.
LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trumpβs criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.
George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgiaβs capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.
Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery βYoung Thugβ Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.
βThe screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,β Chidi wrote. βJudge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.β
LockBitSupp also denied assertions made by the U.K.βs NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they donβt believe the ransomware group will hold up its end of the bargain.
The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.
βDue to my personal negligence and irresponsibility I relaxed and did not update PHP in time,β LockBitSupp wrote. βAs a result of which access was gained to the two main servers where this version of PHP was installed.β
LockBitSuppβs FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton Countyβs new countdown timer.
LockBitβs new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.
βEven after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,β LockBitSupp wrote. βAll FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.β
In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadnβt offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head β offering $10 million to anyone who could discover his real name.
After the NCA and FBI seized LockBitβs site, the groupβs homepage was retrofitted with a blog entry titled, βWho is LockBitSupp? The $10M question.β The teaser made use of LockBitβs own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.
However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSuppβs identity.
On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBitβs leaders, and up to $5 million is offered for information on affiliates.
In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.
βThey assert the FBI / NCA UK / EUROPOL do not know their information,β Vx-Underground wrote. βThey state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.β
In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.
Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.
LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as βClop.β But the incident no doubt prompted closer inspection of LockBitSuppβs activities by Russian authorities.
Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.
A posted by the XSS administrator saying LockBitSupp wanted him dead.
KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.
LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.
βI have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,β LockBitSupp told KrebsOnSecurity. βIt is not necessary to kill him to punish him, there are more humane methods and he knows what they are.β
Asked why he was so certain the FBI doesnβt know his real-life identity, LockBitSupp was more precise.
βIβm not sure the FBI doesnβt know who I am,β he said. βI just believe they will never find me.β
It seems unlikely that the FBIβs seizure of LockBitβs infrastructure was somehow an effort to stave off the disclosure of Fulton Countyβs data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.
Also, in reporting on the attackβs disruption to the office of Fulton County District Attorney Fani Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.
Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.
Fulton County is still trying to recover systems and restore services affected by the ransomware attack. βFulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,β reads the latest statement from the county on Feb. 22. βSince the start of this incident, our team has been working tirelessly to bring services back up.β
Update, Feb. 29, 3:22 p.m. ET: Just hours after this story ran, LockBit changed its countdown timer for Fulton County saying they had until the morning of Feb. 29 (today) to pay a ransonm demand. When the official deadline neared today, Fulton Countyβs listing was removed from LockBitβs victim shaming website. Asked about the removal of the listing, LockBitβs leader βLockBitSuppβ told KrebsOnSecurity that Fulton County paid a ransom demand. County officials have scheduled a press conference on the ransomware attack at 4:15 p.m. ET today.
U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didnβt pay, LockBitβs victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.
Investigators used the existing design on LockBitβs victim shaming website to feature press releases and free decryption tools.
Dubbed βOperation Cronos,β the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gangβs activities.
LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.
LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.
A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBitβs primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.
The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Ivan Gennadievich Kondratyev, a.k.a. βBassterlord,β allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka βREvilβ) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail βWazawakaβ Matveev and Mikhail Vasiliev.
Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker βWazawaka,β which followed clues from Wazawakaβs many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.
An FBI wanted poster for Matveev.
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and itβs unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm ProDaft said on Twitter/X that the infiltration of LockBit by investigators provided βin-depth visibility into each affiliateβs structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.β
In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gangβs leaders said the FBI and the U.K.βs National Crime Agency (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.
Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBitβs vaunted βBug Bountyβ program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBitβs online infrastructure.
This prompted several XSS members to start posting memes taunting the group about the security failure.
βDoes it mean that the FBI provided a pentesting service to the affiliate program?,β one denizen quipped. βOr did they decide to take part in the bug bounty program? :):)β
Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBitβs data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of βLockBitSupp,β the unofficial spokesperson or figurehead for the LockBit gang.
βWho is LockbitSupp?β the teaser reads. βThe $10m question.β
In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadnβt offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head β offering $10 million to anyone who could discover his real name.
βMy god, who needs me?,β LockBitSupp wrote on Jan. 22, 2024. βThere is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, itβs an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.β
Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.
βI donβt think this is an accidentβthis is how ransomware groups talk to each other,β Stockley said. βThis is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.β
In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.
The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.
FreshRSS 