Police Arrest Four Suspects Linked to LockBit
Summary:
Law enforcement from 12 countries arrested four suspects tied to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals linked to LockBit activities. These arrests were part of Operation Cronos, a global crackdown led by the UK National Crime Agency (NCA), which began in April 2022. A suspected LockBit developer was arrested in August 2024 at the request of French authorities, while two other individuals were arrested in the UK, one for LockBit affiliation and the other for money laundering. Additionally, Spain arrested a bulletproof hosting service administrator used by LockBit.
Australia, the UK, and the US also announced sanctions against individuals connected to LockBit and Evil Corp. The UK's sanctions targeted 15 Russian nationals, while the US and Australia sanctioned a total of eight individuals. These actions follow a major disruption of LockBit's infrastructure in February 2024, where 34 servers and over 2,500 decryption keys were seized, leading to the creation of a LockBit 3.0 ransomware decryptor.
Analyst Comments:
LockBit, active since 2019, has been linked to high-profile attacks on companies like Bank of America, Boeing, and the UK Royal Mail. The gang has extorted up to $1 billion from over 7,000 attacks. Notable arrests of LockBit members include Mikhail Matveev, Artur Sungatov, Ivan Kondratiev, and Dmitry Khoroshev in 2023 and 2024. Other affiliates, including Ruslan Astamirov and Mikhail Vasiliev, have been arrested and sentenced for their roles in ransomware attacks.
This year, we have tracked 269 attacks by LockBit across all critical sectors. While total attack volume is down compared to 2023, the group has remained a significant threat to organizations globally. After previous law enforcement activities observed in February against LockBit and BlackCat, we noted significant decreases in ransomware attack by volume. This number had stabilized in August 2024, where we saw ransomware attacks up almost 40% from August 2023. We are hopeful continued law enforcement activities against these prominent ransomware operators will continue to have positive impacts across the landscape.
Suggested Corrections:
- Network Security
- Patch vulnerabilities: Ensure that all systems, especially VPNs, firewalls, and remote access solutions, are up-to-date with security patches. Many ransomware groups exploit unpatched vulnerabilities.
- Disable unused services: Shut down unnecessary services and ports, particularly Remote Desktop Protocol (RDP), which is a common attack vector.
- Network segmentation: Limit access between different parts of your network to reduce the lateral movement of ransomware.
- Access Control
- Multi-factor authentication (MFA): Enable MFA for all remote access and sensitive accounts, particularly for administrator access.
- Least privilege principle: Grant users only the access they need. Limit administrative privileges and ensure that privileged accounts are not used for daily tasks.
- Monitor user access: Use tools to monitor unusual activity, such as privilege escalations or unauthorized access attempts.
- Backup
- Frequent backups: Maintain regular, automated backups of critical data, ensuring they are stored offline or in a secure, immutable environment (like air-gapped systems or cloud storage).
- Test backups: Periodically test the integrity and restorability of backups to ensure you can recover data in the event of an attack.
- Frequent backups: Maintain regular, automated backups of critical data, ensuring they are stored offline or in a secure, immutable environment (like air-gapped systems or cloud storage).
- Monitor Endpoints
- Deploy advanced endpoint detection and response (EDR) tools to identify and block ransomware behavior, such as file encryption or lateral movement.
- Email and web security: Use anti-phishing tools and URL filtering to prevent ransomware from spreading through malicious attachments and links.
- Training
- Security awareness training: Train employees to recognize phishing emails, malicious attachments, and social engineering tactics that ransomware operators often use.
- Simulated phishing exercises: Conduct regular phishing simulations to test the awareness and readiness of employees.
- Security awareness training: Train employees to recognize phishing emails, malicious attachments, and social engineering tactics that ransomware operators often use.
- Business Continuity
- Create a ransomware-specific incident response plan: Develop and regularly update your response plan, which should include steps for containment, communication, and recovery in case of an attack.
- Practice response drills: Conduct tabletop exercises and simulated attacks to ensure your incident response team is prepared to act quickly in the event of an attack.
- Create a ransomware-specific incident response plan: Develop and regularly update your response plan, which should include steps for containment, communication, and recovery in case of an attack.
- Threat Intelligence
- Stay updated on known LockBit ransomware tactics, techniques, and procedures (TTPs). Use threat feeds and IOC alerts to identify early signs of an attack.
- Event log analysis: Review Windows event logs and other system logs regularly for signs of ransomware activity, such as those left by Conti, Phobos, and other ransomware groups related to LockBit.
- Stay updated on known LockBit ransomware tactics, techniques, and procedures (TTPs). Use threat feeds and IOC alerts to identify early signs of an attack.
- Penetration Testing
- Conduct regular vulnerability scans and penetration testing to identify weak spots in your infrastructure that could be exploited by ransomware actors.
Link(s):
https://www.europol.europa.eu/media...ts-and-financial-sanctions-against-affiliates