A conviction between ‘dark web’ mafias brought down the group of cybercriminals that attacked the Seville City Council and thousands of entities | Technology

Police notification of intervention on the LockBit access page following the international action once morest the kidnapping and extortion group last February.HANDOUT (via REUTERS)

The dark web, the dark network hidden from search engines, which conceals the IP (identity of the devices with which one works) and accessible only through specific browsers, is not a world without rules, despite being the platform for computer criminal activities , pedophilia, human trafficking or illegal sale of weapons and drugs. Like all mafias, they have their rules and violating them carries their punishments. The breaking of one of these laws, that of the distribution of money obtained through extortion, has been what has brought down LockBit, the largest kidnapping and blackmail organization. Among the many crimes attributed since its detection in 2019, it took down the website of the Seville City Council, the Port of Lisbon, the California budget office, a children’s hospital in Toronto and thousands of companies. The international police operation once morest this plot, which has resulted in two detainees in Eastern Europe, was possible following his conviction in the criminal society. The criminal group is now trying to re-emerge.

The National Crime Agency (NCA) of the United Kingdom announced on February 20 that it had “taken control of LockBit services” following infiltrating the mafia network in an operation called Chronos. In coordination with Europol, two people were arrested in Poland and Ukraine and 200 cryptocurrency accounts were confiscated. Four other alleged malicious actors were indicted in the United States.

“This investigation once morest the world’s most damaging cybercrime group demonstrates that no criminal operation, wherever it is located, and no matter how advanced, is beyond the reach of the agency and our partners. We have hacked to the hackers [piratas informáticos]; taken control of their infrastructure, obtained their source code and decrypted the keys that will help victims decrypt their systems. From today [20 de febrero]LockBit is blocked,” says NCA director Graeme Biggar.

The director of the United States Federal Investigation Agency (FBI) shares the euphoria: “The FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the variants of ransomware [extorsión por el secuestro de sistemas informáticos] most prolific in the world.

Sergey Shaykevich, director of the Check Point Threat Group.
Sergey Shaykevich, director of the Check Point Threat Group.C.P.

But this international police operation was the end of a process that had already begun in the dark web and that was the initial trigger for the dismantling of the criminal team. As described by Sergey Shaykevich, director of the Check Point Threat Group during a meeting of the multinational in Vienna (CPX), the origin of the fall was a dispute over the benefits of an extortion that was settled in a trial between criminals and an appeal unsuccessful that gave rise to a sentence of disappearance. “LockBit was blocked on the forums [de la dark web] and then it fell down. It’s a double whammy,” he summarizes.

LockBit, and other similar organizations, use ransomware as a service (RaaS). According to the security company Kaspersky, they are programs that are accessed through the dark web, like the usual applications of conventional or clean web work environments. “Interested parties leave a deposit to use the programs that are contracted. “Ransom payments are split between the LockBit developer team and the attackers, who receive up to three-quarters of the extortion a week later if the goals have been achieved.”

Shaykevich reports that the dispute that gave rise to the trial once morest LockBit amounted to 20 million euros. “The reputation in ransomware It is the most important thing,” comments Check Point’s threat chief to explain how a disagreement between criminals led to the fall of a cybercrime giant.

One of the last victims of the group was the Seville City Council, from which LockBit claimed more than one and a half million euros for the recovery of municipal computer systems last September. The Councilor for Digital Transformation, Juan Bueno, said following the kidnapping that the attackers were “of Dutch origin.”

The event and the first attribution of the councilor, which was echoed by many media outlets, showed that the City Council lacked the necessary protection and that the person responsible for Digital Transformation was unaware of LockBit, “the organization of ransomware most prolific in the world”, according to the British Home Secretary, James Cleverly.

“From Holland? No no no. Most are based in Russia. The two arrested in Poland and Ukraine are not the key members, who are in Russia,” says Shaykevich.

This false Dutch origin referred to the location of the last server from which the email with the malicious link that led to the kidnapping originated. These computer systems for data traffic, in the dark web, They are used for successive encryption that prevents tracking. According to the NCA, the operation Chronos This has led to the dismantling of 28 LockBit servers.

Possible revival

However, the trial on the dark internet and the subsequent international police operation does not imply the end of the entire LockBit infrastructure, which aspires to continue in the market for kidnapping and extortion attacks because they represent, according to Shaykevich estimates, more than 200 million euros of income each year.

An alleged person responsible for the group has stated in a statement that the police intervention has been possible due to a “vulnerability in the PHP programming language.” This name refers to the open source Hypertext Preprocessor system, common in web page development. “All other servers with backup blogs that did not have PHP installed have not been affected and will continue to deliver stolen data from the attacked companies,” the alleged claim states in English and Russian. hacker.

Security companies have already detected these attempts at recomposition, but question the viability of continuing with the same name following the criminal reputation crisis generated by the dispute in the dark web and following having shown a vulnerability exploited by the international police. “As long as people are not arrested, they will most likely change and build a new organization with a new name. But the step that has been taken is important and shows that law enforcement operates and that you can be punished,” explains Shaykevich.

Christopher Asher Wray, director of the FBI, agrees: “This operation [Cronos] It demonstrates both our ability and our commitment to defend cybersecurity once morest any malicious actor seeking to affect our way of life. “We will continue to work with our national and international allies to identify, disrupt and deter cyber threats, and to hold perpetrators accountable.”

to continue reading

_

Share:

Facebook
Twitter
Pinterest
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.