Euro cops arrest 4 including suspected LockBit dev chilling on holiday
And what looks like proof stolen data was never deleted even after ransom paid
Building on the success of what's known around here as LockBit Leak Week in February, the authorities say they've arrested a further four individuals with ties to the now-scuppered LockBit ransomware empire.
The first arrest was ordered by the French Gendarmerie after they were alerted to the fact a suspected LockBit developer had gone on holiday to a territory that had an extradition agreement with France.
Ransomware criminals typically enjoy the fact that Russian prosecutors turn a blind eye to them, provided the crooks don't attack organizations in their homeland or allied nations. This also means getting those extorionists in handcuffs is notoriously difficult unless they're silly enough to venture somewhere the Russian authorities can't shield them from extradition requests like this.
Five months after takedown, LockBit is a shadow of its former self
READ MOREFrench law prohibits the identification of the arrested individual, and the country in which the suspect was detained was also not specified, however, a post to LockBit's leak blog said: "This individual is facing severe charges in the French core case against the LockBit organized crime group."
It's certainly a rare win for law enforcement who have thus far spent many years trying to get major LockBit and ransomware suspects in handcuffs.
The arrest took place in August, the same month a further two individuals were collared in the UK – one due to suspected links with a LockBit affiliate and another on suspected money laundering offences.
Again, their identities have not been revealed by Britain's National Crime Agency (NCA), but the cops said the suspects' identities were deduced after analyzing piles of data seized during February's disruption of the gang.
The LockBit site, seemingly under the control of the police, currently reads: "Both individuals were identified through the analysis and enrichment of data acquired during the course of Operation Cronos. The NCA's National Cyber Crime Unit continues to proactively analyze this data at pace by working closely with international partners to identify real-world identities suspected of being involved with LockBit.
"Once again, we thank Dmitry Khoroshev a.k.a LockBitSupp for allowing us to compromise his platform and discover all this juicy data (it's keeping our teams busy!)"
The Spanish Guardia Civil also got in on the act, arresting what it described as "a key suspect" at Madrid airport. Identity withheld, they are suspected to be the owner of a so-called bulletproof hosting business – one of the key facilitators of cybercriminal infrastructure like LockBit's.
Bulletproof hosting companies essentially offer the same fundamental internet hosting services – servers, storage, etc – as legitimate equivalents, but they don't respond to reports of their customers breaking the law and causing abuse online. That allows those customers to get away with all sorts of stuff. These hosters may also move servers between territories to evade jurisdictions that are on their case.
Though that's kinda difficult when the plod manages to snatch what they think are your boxes and collar someone suspected to be the admin of those machines.
"Nine relevant servers of LockBit infrastructure were accessed and seized," said officers behind Operation Cronos, a global police collaboration to bring down the LockBit gang. "Relevant information to prosecute core members and affiliates of the ransomware group was obtained and is currently being analyzed."
Drop in the ocean
The arrests announced today mark only four of very few ever made in relation to suspected LockBit members, with some, like those announced today, still having never been named.
LockBit's leak blog, under the control of the cops' Operation Cronos, revived to issue news of four arrests of suspected gang associates
For example, the Ukrainian plod snared a father and son suspected of being LockBit affiliates earlier this year, just before law enforcement's disruption of the gang took place. Arrested at the request of the French government, the pair were never named.
This was announced as the NCA was in full swing with LockBit Leak Week – a week full of leaked information using LockBit's own website, once seized, to discredit the group and kill its brand.
Adding to the pain, the US also indicted two additional suspected LockBit affiliates, Artur Sungatov and Ivan Kondratyev, but these two have yet to be apprehended.
Canadian-Russian Mikhail Vasiliev, however, was sentenced to four years in prison for eight counts of cyber extortion, mischief, and weapons charges against Canadian victims earlier this year. He is still yet to be extradited to the US to face his LockBit-specific charges.
Back in 2023, Ruslan Magomedovich Astamirov, who was just 20 years old at the time, for whatever, unknown reason, submitted to a voluntary FBI interview in Arizona, and after having his devices combed through was arrested after being suspected to be responsible for at least five LockBit ransomware attacks.
A month earlier, in May 2023, fellow suspected LockBit affiliate Mikhail Pavlovich Matveev was also indicted by the US, but has thus far stayed well away from anywhere with which the US has an extradition agreement in place. He remains at large.
Most recently, however, Ukrainian police again arrested another alleged LockBit affiliate, accused of attacking a large multinational – that's as specific as we could get – in 2021 using Conti's ransomware. Like with the father-son duo, the identity of the nabbed person was kept hush-hush.
On the one hand, there is the presumption of innocence that must be maintained, and naming someone, linking them to a crime they didn't commit, can be devastating. That is understood. On the other hand, it would be wise to be wary of a Kafkaesque situation developing around these alleged cyber-extortionists.
Cemented suspicions
One part of LockBit Leak Week in February was the revelation made by the NCA-led Operation Cronos team that they found evidence of stolen data being kept by LockBit even after a victim had paid the ransom.
It went against the conventional wisdom, perpetuated by ransomware operatives, that if a payment is made, the data oilfered during the attack and used as leverage for a payment would be destroyed.
However many in the cybersecurity community doubted whether this promise – if you could ever believe one from such a criminal – would be truly honored.
The claims made by the LockBit disruptors went on to satisfy those suspicions, but little else was said on the matter until today.
Authorities now say that after spending months combing through LockBit's source code, they found evidence that suggests not only did LockBit keep victims' information even after they paid, but the tools given to affiliates were developed so that the data would never be deleted.
- NCA unmasks man it suspects is both 'Evil Corp kingpin' and LockBit affiliate
- Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin
- FBI encourages LockBit victims to step right up for free decryption keys
- Cyber cops plead for info on elusive Emotet mastermind
A technical explanation of the process was published on LockBit's own website today, which remains under Operation Cronos' control.
In it, investigators were able to deduce that the tools were developed so that data would be kept even if an affiliate thought they were deleting it. Once paid, an affiliate would usually click a button that seemingly wiped all the victim's data the crook had grabbed and the post to LockBit's site, but it did neither.
In the LockBit affiliate panel, there was an option to delete a victim's data. It would present a pop-up window titled "Delete this folder?" with two buttons: "Yes" and "No."
Digging through the code of these buttons, investigators found that the "Yes" button didn't actually mean yes. Clicking it instead just sent a request to LockBit HQ, which could then either approve or deny the request to delete a victim's data.
And even if that request was approved, each file would have to be manually deleted by the LockBit administrator, entering each folder ID iteratively, one at a time.
Only LockBit suspect Dmitry Khoroshev had the ability to actually delete the data, Operation Cronos claimed, and the affiliate could never know if the data was indeed wiped.
Additionally, the authorities said LockBit never deleted any data from 2022 onward.
The finding further cements the idea that paying ransomware criminals will not guarantee the data stolen during the attack automatically becomes safe from those who would seek to misuse it.
"LockBit let you down," Cronos said. "Affiliates, developers, and money launderers, we look forward to catching up with you very soon." ®