Well well well, how the turntables have…you get the idea. Lockbit, a notorious ransomware syndicate that’s estimated to have extorted more than $120 million of ill-gotten gains from victims worldwide, has been subjected to a successful takedown operation from a group comprising a range of international authorities, including the Swedish police and Europol.
The best part? Rather than simply lock the dark website down, the investigators took the opportunity to do a bit of trolling of their own.
Not content with merely gaining root access to the ransomware group’s servers, the authorities, operating under the title “Operation Cronos”, decided to have a bit of schadenfreude-inducing fun while they were at it (via Ars Technica). In a series of images displayed on the sites Lockbit previously operated, the investigators not only revealed the extent of the access they had obtained—including control of the main web panel that Lockbit operators used to communicate with their victims—but teased the founder, operating under the name LockbitSupp, in a manner they may well be familiar with.
A page on the main site read “Who is LockbitSupp? The $10m question”, complete with a timer counting down the seconds until their identifying information would be posted. This mirrored a common method of extortion used by Lockbit operators to extort large sums of money from victims, in which they taunted their potential prey and gave them an ebbing timeframe in which to pay up.
Not only that, but the images themselves featured filenames that appear to brag about the extent of the operation’s success, with some highlights including “this_is_really-bad.png” and “doesnt_look_good.png”.
The months-long operation has been regarded as a major victory in the fight against ransomware operators, with 34 servers in the Netherlands, Germany, Finland, France, Sweden, and more taken down once the authorities had had their fun. Two arrests have been made so far, with three international arrest warrants and five indictments also issued by French and US authorities.
Lockbit previously operated as a ransomware-as-a-service operation, where malware was distributed by a core team within the group to various “affiliates” who would then put it to use blackmailing victims into handing over their cash. The group and its operators often made use of encryption tools to lock users’ data, before threatening to leak it while performing DDoS attacks to ramp up the pressure, in a method referred to as triple extortion.
14,000 accounts used by Lockbit are now under the control of law enforcement as a result of the operation, which took a huge amount of cooperation between various agencies to bring to fruition. While Lockbit is far from the only ransomware syndicate operating on the dark web, it was certainly one of the largest, and its takedown may well serve as a warning to others hoping to mimic its success.
Not only are the authorities coming, it seems, but if they make it past your digital walls they may well perform a victory lap over the ashes of your criminal empire, and mock you in the process.
Still, difficult to feel too sorry for them, ey? Beyond the malware itself, shame, embarrassment, and fear were the tools of Lockbit’s trade, and in this case, it seems that just desserts have just been served.
