Slow Mist: The Mysterious Case of LockBit, the World’s Largest Blackmail Group

Team Background

In September 2019, LockBit ransomware made its first official appearance , which is called "ABCD" ransomware because it uses the suffix .abcd to mark encrypted victim files. The early version of LockBit 1.0 was very immature. During the crime process, the encryption software not only used fixed mutexes, but even left some debug functions that were easy to be identified and intercepted by anti-virus software, sandboxes and other security software.

As the organization continues to grow in size, LockBit 1.0 begins to operate in the RaaS (Ransomware-as-a-service ransomware and service) model, that is, to develop and distribute ransomware The software tools were used by other malicious actors and were promoted for their collaboration programs on a prominent Russian-language forum known as XSS.

Eight months later, LockBit 1.0 ransomware operators upgraded their extortion tactics and created a site for exposing victim data, along with file encryption. Trying to further pressure the victim in order to achieve the purpose of "double blackmail".

After several minor upgrades, LockBit 1.0 has more sophisticated methods of committing crimes than other ransomware. The encryption process for Windows systems uses the RSA + AES algorithm to encrypt files, and uses the IOCP completion port + AES-NI instruction set to improve work efficiency, thereby achieving a high-performance encryption process. Once the file is successfully encrypted, all victim files will be added and cannot be cracked. The .abcd extension suffix.

During the LockBit ransomware 1.0 period, it mainly displayed ransom messages by modifying the victim's system desktop wallpaper and left a ransomware file named Restore-My-Files.txt The letter requires the victim to log into the darknet and pay the ransom in Bitcoin or Monero.

The gang later became famous for a number of high-profile attacks. For example, in June 2022, they launched LockBit version 3.0 and included a bug bounty program that invited security researchers to test and improve their software. Offering rewards for discovering system vulnerabilities is a unique approach among ransomware.

Since its inception, LockBit has had a significant impact on cybersecurity, with its attacks often resulting in the theft of sensitive data and financial losses for the victim parties.

"Glorious" History

Before May 2022, LockBit is almost unparalleled in the world. Penetrated the defense systems of more than 850 organizations, accounting for 46% of all ransomware-related attacks during the same time period.

RaaS proxy mode:

Attack method:

Ransomware attacks targeting industrial systems in the second quarter of 2022, according to data from cybersecurity company Dragos About one-third of them were initiated by LockBit, which caused a huge blow to many large companies in the industrial control field. A report released by Deep Instinct pointed out that in the first half of 2022, ransomware attacks launched by LockBit accounted for approximately 44% of the total number of attacks.

In just three years, the number of victims of the LockBit ransomware gang has reached more than 1,000, which is twice as many as the old ransomware organization Conti, and even more so than Revil. More than 5 times.

It is worth mentioning that the LockBit ransomware organization’s ransom collection rate is also higher than that of many established ransomware organizations. Judging from the data in 2022, among its ransom demands of US$100 million, the extortion rate was more than half, which frightened countless companies.

Current situation

As a result, the gang has attracted the attention of law enforcement agencies around the world. In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual citizen of Russia and Canada, for his alleged involvement in the LockBit ransomware operation. The man is currently detained in Canada, awaiting extradition to the United States.

In May, Russian national Mikhail Pavlovich Matveev (30), also known as Wazawaka, m1x, Boriselcin and Uhodiransomwar, was charged by the U.S. Department of Justice with participating in multiple extortion attempts Software attacks.

The U.S. Department of Justice unsealed two indictments charging the man with using three different ransomware strains to target numerous victims across the U.S., including in Washington, D.C., and New Jersey law enforcement agencies, and organizations nationwide in the health care and other sectors:

• 2020 On or about June 25, Matveev and his LockBit co-conspirators attacked a law enforcement agency in Passaic County, New Jersey;

• On April 26, 2021, Matveev and his Babuk co-conspirators attacked the Metropolitan Police Department in Washington, DC;

• On or about May 27, 2022, Matveev and his Hive co-conspirators attacked a non-profit sexual health organization in New Jersey.

• On February 19, 2024, the notorious blackmail gang LockBit website , seized in a joint law enforcement operation by the FBI, Europol and the International Alliance of Police Agencies:

treasury.gov publishes relevant sanctions information on persons involved Information, BTC and ETH addresses, etc.:

We use MistTrack to check the funds of the sanctioned ETH address (0xf3701f445b6bdafedbca97d1e477357839e4120d):

Analysis found that the funds on the ETH address had been laundered.

Next, we analyzed the situation of the sanctioned BTC addresses and found that the earliest transactions among these addresses can be traced back to October 2019, and the most recent transactions can be traced back to October 2019. It dates back to March 2023, and the relevant funds on each address have been transferred.

Among them, the address that received the largest amount is 18gaXypKj9M23S2zT9qZfL9iPbLFM372Q5. This address is the address of Artur Sungatov, an affiliate of LockBit. It is marked as a Binance Deposit address by MistTrack, and the funds have been transfer.

Secondly, the address 32pTjxTNi7snk8sodrgfmdKao3DEn1nVJM received an amount of 52.7892 BTC. This address is the address of LockBit affiliate Ivan Kondratyev, which was marked as a Kucoin Deposit address by MistTrack, and this address received another sanctioned address bc1qx9upga7f09tsetqf78wa3qrmcjar58mkwz6ng 6 0.4323 BTC transferred.

The US government, along with the UK and Europol, have released more information about the LockBit ransomware group. They also revealed that LockBit has 193 affiliates:

< img src="https://img.jinse.cn/7181587_image3.png">

The mystery of being caught

According to a spokesperson for the UK's National Crime Agency, LockBit's services have been disrupted and this is an ongoing and developing operation. The operation is the latest step in a years-long battle between law enforcement agencies and extortion gangs. It is a powerful blow to LockBit’s recent cross-border extortion operations and an effective deterrent to increasingly rampant ransomware attacks.

We looked at LockBit's nodes and every known LockBit ransomware group website was either offline or showed pages that had been blocked by EUROPOL. Law enforcement has seized or taken down at least 22 Tor sites in what has been dubbed "Operation Kronos."

After this, LockBit ransomware group managers reported to The media confirmed that their website has been blocked:

< p style="text-align: left;">However, it seems that this seizure did not affect the core LockBit personnel, and the LockBit ransomware group subsequently released a message to individuals on Tox: "FBI screwed up a server using PHP , backup servers without PHP are not affected."

Today the plot has reversed, LockBit leadership statement: We are regarding the announcement by law enforcement that LockBit leadership will be announced on Friday, February 23, 2024 regarding the LockBit ransomware Managers from the organization were talked to.

LockBit replied: "Let them reveal it, I'm sure they don't know my identity." In turn, the LockBit ransomware group changed its name to "FBI Supp ", used to mock law enforcement agencies:

According to @vxunderground news, it seems that the final mastermind has not been caught, and LockBit has even publicly offered a larger reward for the public to find him.

The story is getting better and better at this point, and law enforcement agencies claim that they will release more information about the LockBit organization in the coming days.

How is the funeral? We'll see.

Summary

This crackdown is against ransomware The latest in a series of law enforcement moves by the gang. Late last year, the FBI and other agencies have successfully taken down the networks and infrastructure of multiple ransomware gangs such as Qakbot and Ragnar Locker.

At the recent Munich Cybersecurity Conference, the U.S. Deputy Attorney General emphasized the United States’ determination to combat ransomware and cybercrime, proposing the adoption of faster, more proactive strategies that focus on preventing and disrupting these criminal activities.

With the development of digital technology, cybercrime relying on cryptocurrency has become a major global challenge. Cybercrimes such as ransomware not only cause losses to individuals and businesses, but also pose serious risks to society as a whole. Last year, cybercriminals extorted more than $1.1 billion from victims around the world, according to statistics.

In addition, ransomware management is a battle between network attackers and security personnel, requiring patience, strategy, and timing.

Take LockBit ransomware as an example. It continues to iteratively update the attack methods, strategies, intrusion points, etc. of each version, which makes it difficult for security personnel to form a complete Repair the system. Therefore, in the process of ransomware management, prevention is far more important than repair. It is necessary to adopt a systematic, comprehensive policy, system governance, and multi-party joint approach to form a wall to prevent ransomware. It is strongly recommended that everyone take the following protective measures: < /p>

Use complex passwords as much as possible: When setting passwords for servers or internal systems within an enterprise, complex login credentials should be used, such as Use numbers, uppercase and lowercase letters, special symbols, and a password of at least 8 characters in length, and change the password regularly.

Two-factor authentication: For sensitive information within the enterprise, it is necessary to add other layers of defense on the basis of password-based login to prevent hacker attacks. For example, measures such as installing biometric verification such as fingerprints and iris or using physical USB key authenticators on some sensitive systems.

Four Don’ts:Do not click on emails from unknown sources; do not browse pornographic, gambling and other harmful information websites; do not install software from unknown sources, be cautious Install software sent by strangers; do not insert USB flash drives, mobile hard drives, flash memory cards and other mobile storage devices of unknown origin into the device at will.

Data backup protection:The real guarantee against data loss is always offline backup. Therefore, it is very important to back up key data and business systems. necessary. Note that backups should be clear and label backups at each stage to ensure that if a backup is infected by malware, it can be retrieved in time.

Always anti-virus and close ports: Install anti-virus software and regularly update the virus database, and perform full anti-virus regularly; close unnecessary services and Ports (including unnecessary remote access service ports 3389, 22 and unnecessary LAN shared ports such as 135, 139, 445, etc.).

Strengthen employee security awareness:The biggest hidden danger in safe production lies in personnel, such as phishing, social engineering, poisoning, weak passwords, etc. These key All factors are closely related to the security awareness of personnel. Therefore, in order to strengthen the overall security and improve defense capabilities, it is necessary to effectively enhance the security awareness of personnel.

Timely patching of office terminals and servers: Timely patching of operating systems and third-party applications to prevent attackers from intruding through vulnerabilities system.

Credit: WuBlockchain, @vxunderground, Xita Lab, Yunding Lab

Reference

[1] https://www.justice.gov/opa/pr/us -and-uk-disrupt-lockbit-ransomware-variant

[2] https://www.nationalcrimeagency.gov.uk/news/nca-leads- international-investigation-targeting-worlds-most-harmful-ransomware-group

[3] https://www.justice.gov/opa/pr/us -and-uk-disrupt-lockbit-ransomware-variant

[4] https://ofac.treasury.gov/recent-actions/20240220