Four LockBit ransom gang members arrested, servers seized by Europol


The LockBit gang’s ransomware infrastructure has taken another massive hit with four new LockBit arrests and the seizure of its ‘critical servers.’ The operations, led by EU law enforcement, include dozens of sanctions and an uncovered link to the Evil Corp cybercriminal group.

The four arrests spanned four nations and included an alleged LockBit developer, two LockBit affiliate supporters, and the administrator of a Bulletproof hosting service used by the ransomware group.

Not only were individual arrests made, but nine servers, said to be part of LockBit ransomware’s critical infrastructure, were confiscated by Spanish authorities. This is another blow to the group, which has been relentlessly chased down by cyber police worldwide since the beginning of this year.

ADVERTISEMENT

Europol announced the arrests as part of the third phase of Operation Cronos, a joint international operation launched in February by nearly a dozen EU nations, Europol, and the FBI.

“These actions follow the massive disruption of LockBit infrastructure in February, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months,” Europol stated in Tuesday’s release.

fresh eight-page report

The suspected developer was arrested in France; the two individuals charged with supporting the activity of a LockBit affiliate were arrested by British authorities, and the Bulletproof administrator was taken into custody in Spain.

Financial sanctions issued

A slew of sanctions were also issued against another bad actor, which the UK’s National Crime Agency had identified as "a prolific affiliate of LockBit and strongly linked to Evil Corp,” another mainstay Kremlin-backed cybercriminal group well known to international authorities.

The Evil Corp-linked LockBit affiliate was outed as Aleksandr Ryzhenkov, the known right-hand man for known Evil Corp leader Maksim Yakubets (still at large).

ADVERTISEMENT

The sanctions, handed down by Australia, the UK, and the US come after LockBit’s claim that the two ransomware groups do not work together, according to Europol.

Ryzhenkov, also known by the name "Beverley," is said to have been personally involved in carrying out dozens of LockBit ransomware attacks, including targeting US victims using BitPaymer ransomware, a known variant developed and used profusely by Evil Corp.

The NCA charges that ‘Beverley' was responsible for at least “60 LockBit attacks… extorting at least $100 million from victims.”

“To the rest of the affiliates, developers and money launders, we look forward to catching up with you all soon,” the NCA posted on X.

Additionally, Europol said fifteen other Russian citizens were sanctioned by the UK, six more by the US, and two more by Australia – all for their involvement in Evil Corp’s criminal activities. Separately, on Tuesday, the US Justice Department also unsealed an indictment charging Ryzhenkov in connection with the BitPaymer attacks.

The Evil Corp sanctions were announced by the NCA, along with a fresh eight-page report described as a "high-level overview of the group’s origins, operations and evolution."

In typical cat-and-mouse fashion, law enforcement agents had also depicted their handiwork on one of the LockBit dark leak sites previously seized by Team Cronos as a reminder to the gang that police operations continue in full force.

LockBit seized website Operation Cronos phase 3
Authorities announce LockBit actor arrests and sanctions on a previously seized LockBit dark leak site as a reminder to the gang that Operation Cronos continues in full force. Image by Europol.
ADVERTISEMENT

Operation Cronos was said to have crippled LockBit’s operations by compromising the gang’s primary platform, including thirty-four of the gang’s servers, over 200 cryptocurrency accounts, and 30,000 Bitcoin addresses from LockBit’s systems.

Europol which facilitated international information exchange, coordination of operational activities, analytical support, crypto tracing, and forensic support during the operation did not reveal the names or national origins of any of the suspects arrested in the third phase, except for Evil Corp's Ryzhenkov.

Cybercrime divisions from Australia, Canada, France, Germany, Japan, Spain, Sweden, Switzerland, the Netherlands, Romania, the United Kingdom, and the United States, along with the EU’s cross-border European Union Agency for Criminal Justice Cooperation (Eurojust) were all involved in the latest effort.

The elusive LockBit gang

Even with Tuesday’s arrests, the LockBit cybercriminal cartel continues to dominate the ransomware industry, evading the FBI and collecting tens of millions of dollars in ransom payments from its thousands of victims.

First appearing in late 2019, the threat actors are said to have executed over 1,400 attacks in the US and around the world, including Asia, Europe, and Africa. Europol states that between 2021 and 2023, LockBit was considered the most widely employed ransomware variant worldwide.

The gang’s notorious LockBit 3.0 variant – also known as LockBit Black – is now in its third iteration and is said to be the most evasive version of all previous strains, a US Department of Justice report has said.

The gang has proven slippery at best, evading international law enforcement efforts to dismantle LockBit’s operations, even after the launch of the first phase of Operation Cronos.

LockBit takedown
Image by Reuters.

Within days of the multi-pronged operation and February seizure of the group’s infrastructure, dark web site, and the unmasking of its ringleader LockBitSup (the Russian-born Dmitry Yuryevich Khoroshev), LockBit was business as usual, creating a new leak site and targeting multiple US hospitals.

ADVERTISEMENT

In June, the FBI revealed it had recovered 7,000 decryption keys for several LockBit ransomware families helping more thousands of victims recover stolen data via the ‘No More Ransom’ website.

According to the Cybernews Ransomlooker ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

LockBit is known to operate using a Ransomware-as-a-Service (RaaS) business model and is responsible for major company attacks such as The Boeing Company, Allen & Overy, and was responsible for the mass 2023 exploit of the Citrix bug zero-day vulnerability.
More recently, the group boasted of attacks on Deutsche Telekom and Cannes Hospital in France. The gang also claimed to have stolen 33 terabytes of data from the US Federal Reserve in June, some say as payback for FBI harassment.

The free decryption tools on the ‘No More Ransom’ portal are available in 37 languages, contain over 120 solutions capable of decrypting more than 150 different types of ransomware, and have already helped over six million victims, EU authorities noted in Tuesday's announcement.