In February of this year, the website of the cybercriminal group LockBit – one of the most dangerous ransomware gangs in recent years – was shut down. The operation, carried out by the UK’s National Crime Agency (NCA) in cooperation with law enforcement agencies worldwide, was accompanied by the arrest of two men: one in Poland and one in Ukraine. According to Chester Wisniewski, an expert from the company Sophos, the efforts of the services to combat cybercrime are not only justified but also provide insight into how hacker groups function and which tools can be used to effectively hinder their activities.
What is a “ransomware gang”?
In most cases, the core of the criminal group using ransomware consists of programmers responsible for creating malicious software, websites and platforms designed to allow victims to pay ransoms. The gangs need individuals responsible for money laundering and negotiators proficient in English for these operations. The attacks themselves are carried out by so-called “partners” – cybercriminals using a platform where ransomware software is provided. If they succeed in extorting money, they share the earnings with the gang whose resources they were utilizing.
Chester Wisniewski, Director of Technology at Sophos, explains that ransomware groups are very loosely connected. He believes that the closure of the LockBit site does not imply that the cybercriminals affiliated with it have ended their careers.
– “LockBit should be treated like a brand. Its closure does not necessarily affect the individuals who created it. It’s true that it will be more difficult for this group, under sanctions in the USA, to extort ransom from American companies. However, its members can reappear, for example, as CryptoMegaUnicornBit and the whole cycle will start all over again.” – explains Chester Wisniewski. – “Sanctions only limit the speed at which cybercriminals operate, but are not a realistic, long-term solution to the ransomware problem.” – he assures.
The expert simultaneously asserts that the joint actions of law enforcement agencies from different countries are very effective. Thanks to international cooperation, cybercriminals who have been charged in the United States were arrested in Poland (for money laundering) and Ukraine (details not disclosed), and will face trial in France.
Even hackers have cybersecurity problems
The mentioned arrests of members of the LockBit group were possible due to law enforcement agencies infiltrating the cybercriminal’s infrastructure. Chester Wisniewski explains that even the most dangerous hackers can fall prey to similar mistakes that they exploit in their victims.
– “There have already been cases where law enforcement “hacked” into the attackers’ systems, utilizing zero-day exploits in the security of web browsers and software. Cybercriminals were also traced because they forgot to use VPN and Tor browsers that ensure anonymity. So-called operational security (OpSec) errors can ultimately doom even those who use sophisticated methods to illegally acquire valuable data.” – comments the Sophos specialist.
According to him, effective fight against cybercrime requires both investments in the skills and numbers of cyber police officers, as well as educating court representatives. Only in this way can operations aimed at breaking up hacker groups “from the inside” be regularly approved and more frequently end successfully.
Authorities send a clear signal to hackers:
The international efforts to close the website of the LockBit group should be treated as a partial success. Authorities were not able to completely shut down the network belonging to the cybercriminals, including a website where they posted content stolen from hacker victims as retaliation for unpaid ransoms. Despite this, criminals have been sent a clear signal: we are among you and we see what you are doing.
– “For some time now, we’ve been observing that ransomware gangs are behaving paranodically, convinced that their structures could have been infiltrated by representatives of services. Just such thinking may cause potential partners to resign from cooperating with cybercriminal groups.” – emphasized Chester Wisniewski. “– This increases their operating costs, which of course works in our favor. It’s the best proof that pressure really makes sense and that it’s worth using all available tools in the fight against hackers.” – he summarizes.
