What just happened? The international law enforcement operation that took down the LockBit ransomware gang at the start of the year is still resulting in arrests. Authorities say they’ve now arrested four further suspects, including one member while he was on vacation outside of his Russian homeland.
Europol, the law enforcement agency of the European Union, writes that it supported a new series of actions against LockBit members, leading to the four arrests and seizures of servers critical for the group’s infrastructure.
Ransomware criminals in Russia are often safe from arrest as the local authorities tend to ignore their actions as long as they don’t attack organizations within the country. But one of those arrested, a LockBit developer, had gone on vacation in August to a territory that has an extradition agreement with France. The French Gendarmerie were alerted, leading to his arrest. The individual and the country where he was apprehended have not been revealed.
August also saw two more people arrested in connection to the operation, both in the UK. One is reported to be associated with a LockBit affiliate, and the other is suspected of money laundering. Britain’s National Crime Agency identified them using data seized during the massive takedown of LockBit operations in February.
The final arrest was made at Madrid airport, where Spain’s Guardia Civil arrested an administrator of a Bulletproof hosting service used by the ransomware group. Bulletproof hosting companies provide hosting services that are deliberately designed to be resistant or immune to takedown requests, law enforcement, or other forms of interference. They are often linked to criminal activities because they allow or tolerate hosting illegal content.
Spanish officers also seized nine servers, part of the ransomware’s infrastructure.
In addition, Australia, the United Kingdom, and the United States implemented sanctions against an actor identified as a prolific affiliate of LockBit and strongly linked to ransomware group Evil Corp.
16 members of Evil Corp, once believed to be the most significant cybercrime threat in the world have been sanctioned in the UK with their links to the Russian state and other ransomware groups, including LockBit, exposed. Sanctions have also been imposed by Australia and the US
– National Crime Agency (NCA) (@NCA_UK) October 1, 2024
The LockBit ransomware-as-a-service has been behind over 1,700 attacks on organizations in the United States from virtually every sector, from government and financial to transport, healthcare, and education.
This year’s multinational Operation Cronos saw LockBit’s website seized and operations disrupted. Investigators also seized 34 servers containing over 2,500 decryption keys and used the data gathered from those servers to develop a free file decryption tool for the LockBit 3.0 Black Ransomware.