/cloudfront-eu-central-1.images.arcpublishing.com/prisa/H6SX4JB4HJIOMBO3FUP6IGGLUI.jpg)
Police notification of intervention on the LockBit access page after the international action against the kidnapping and extortion group last February.HANDOUT (via REUTERS)
The
dark web
, the dark network hidden from search engines, which conceals the IP (identity of the devices with which we work) and accessible only through specific browsers, is not a world without rules, despite being the platform of the computer criminal activities, pedophilia, human trafficking or illegal sale of weapons and drugs.
Like all mafias, they have their rules and violating them carries their punishments.
The breaking of one of these laws, that of the distribution of money obtained through extortion, has been what has brought down LockBit, the largest kidnapping and blackmail organization.
Among the many crimes attributed since its detection in 2019, it took down the website of the Seville City Council, the Port of Lisbon, the California budget office, a children's hospital in Toronto and thousands of companies.
The international police operation against this plot, which has resulted in two detainees in Eastern Europe, was possible after his conviction in the criminal society.
The criminal group is now trying to re-emerge.
The United Kingdom's National Crime Agency (NCA) announced on February 20 that it had “taken control of LockBit services” after infiltrating the mafia network in an operation called
Cronos
.
In coordination with Europol, two people were arrested in Poland and Ukraine and 200 cryptocurrency accounts were confiscated.
Four other alleged malicious actors were indicted in the United States.
“This investigation against the world's most damaging cybercrime group demonstrates that no criminal operation, wherever it is located, and no matter how advanced, is beyond the reach of the agency and our partners.
We have
hacked
the
hackers
;
taken control of their infrastructure, obtained their source code and decrypted the keys that will help victims decrypt their systems.
As of today [February 20], LockBit is blocked,” says NCA director Graeme Biggar.
The director of the United States Federal Investigation Agency (FBI) shares the euphoria: “The FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the variants of
ransomware
[extortion by hijacking computer systems ] most prolific in the world.”
Sergey Shaykevich, Director of the Check Point.CP Threat Group
But this international police operation was the end of a process that had already begun on the
dark web
and that was the initial trigger for the dismantling of the criminal team.
As described by Sergey Shaykevich, director of the Check Point Threat Group during a meeting of the multinational in Vienna (CPX), the origin of the fall was a dispute over the benefits of an extortion that was settled in a trial between criminals and an appeal unsuccessful that gave rise to a sentence of disappearance.
“LockBit was blocked on [ dark web
] forums
and then taken down.
It’s a double whammy,” he summarizes.
LockBit, and other similar organizations, use
ransomware
as a service (RaaS).
According to the security company Kaspersky, they are programs that are accessed through the
dark web
, like the usual applications in work environments on the conventional or clean web.
“Interested parties leave a deposit to use the programs that are contracted.
“Ransom payments are split between the LockBit developer team and the attackers, who receive up to three-quarters of the extortion a week later if the goals have been achieved.”
Shaykevich reports that the dispute that gave rise to the trial against LockBit amounted to 20 million euros.
“Reputation in
ransomware
is the most important thing,” comments Check Point's threat chief to explain how a disagreement between criminals led to the fall of a cybercrime giant.
More information
The Seville City Council suspends all telematic services due to a computer hijacking: “It will not be negotiated”
One of the last victims of the group was the Seville City Council, from which LockBit claimed more than one and a half million euros for the recovery of municipal computer systems last September.
The Councilor for Digital Transformation, Juan Bueno, said after the kidnapping that the attackers were “of Dutch origin.”
The event and the first attribution of the councilor, which was echoed by many media outlets, showed that the City Council lacked the necessary protection and that the person responsible for Digital Transformation was unaware of LockBit, “the most prolific
ransomware
organization in the world,” according to the British Home Secretary, James Cleverly
.
"From Holland?
No no no.
Most are based in Russia.
The two arrested in Poland and Ukraine are not the key members, who are in Russia,” says Shaykevich.
This false Dutch origin referred to the location of the last server from which the email with the malicious link that led to the kidnapping originated.
These computer systems for data traffic, on the
dark web,
are used for successive encryption that prevents tracking.
According to the NCA, operation
Cronos
has involved the dismantling of 28 LockBit servers.
Possible revival
However, the trial on the dark internet and the subsequent international police operation does not imply the end of the entire LockBit infrastructure, which aspires to continue in the market for kidnapping and extortion attacks because they represent, according to Shaykevich estimates, more than 200 million euros of income each year.
An alleged person responsible for the group has stated in a statement that the police intervention has been possible due to a “vulnerability in the PHP programming language.”
This name refers to the open source Hypertext Preprocessor system, common in web page development.
“All other servers with backup blogs that did not have PHP installed have not been affected and will continue to deliver stolen data from the attacked companies,” the alleged
hacker
claims in English and Russian .
Security companies have already detected these attempts at recomposition, but question the viability of continuing with the same name after the criminal reputation crisis generated by the dispute on the
dark web
and after having shown a vulnerability exploited by the international police.
“As long as people are not arrested, they will most likely change and build a new organization with a new name.
But the step that has been taken is important and shows that law enforcement operates and that you can be punished,” explains Shaykevich.
FBI Director Christopher Asher Wray agrees: “This operation [
Cronos
] demonstrates both our ability and our commitment to defend cybersecurity against any malicious actor seeking to disrupt our way of life.
“We will continue to work with our national and international allies to identify, disrupt and deter cyber threats, and to hold perpetrators accountable.”
You can follow
EL PAÍS Tecnología
on
and
X
or sign up here to receive our
weekly newsletter
.
Subscribe to continue reading
Read without limits
Keep reading
I am already a subscriber
_