Joint Global Operation Leads to Arrests and Sanctions Against LockBit Ransomware and Evil Corp Members

October 3, 2024
Cybercrime / Ransomware

A coordinated international law enforcement effort has resulted in four arrests and the shutdown of nine servers associated with the LockBit (also known as Bitwise Spider) ransomware operation, targeting a once-prominent financially motivated cybercriminal group. Key developments include the apprehension of a suspected LockBit developer in France while on vacation outside Russia, the arrest of two individuals in the UK linked to an affiliate, and the capture of an administrator of a bulletproof hosting service in Spain used by the gang, according to Europol. Additionally, authorities have identified a Russian national, Aleksandr Ryzhenkov (known by several aliases including Beverley and Corbyn_Dallas), as a high-ranking member of the Evil Corp cybercrime group and a LockBit affiliate. Sanctions have been imposed on seven individuals and two entities connected to the e-crime organization. “The United States, in collaboration with our allies…”

LockBit Ransomware and Evil Corp Members Arrested in Global Law Enforcement Operation

On October 3, 2024, a coordinated international law enforcement operation resulted in the arrest of four individuals and the dismantling of nine servers associated with the LockBit ransomware group, also known as Bitwise Spider. This initiative represents a significant advance in the fight against a previously highly active organization focused on financial gain through cybercrime.

Among those detained is a suspected LockBit developer apprehended in France while on vacation outside Russia, alongside two individuals in the United Kingdom alleged to have supported an affiliate of the group. Additionally, an administrator of a bulletproof hosting service based in Spain, used by LockBit, was also arrested. Europol confirmed these developments in a recent statement.

In a parallel action, a Russian national, Aleksandr Ryzhenkov, identified by multiple aliases including Beverley and G, was linked to the notorious Evil Corp cybercrime syndicate. Authorities characterized him not only as a significant figure within Evil Corp but also as an associate of LockBit, underscoring the interconnected nature of these criminal organizations. Following these revelations, sanctions were imposed against seven individuals and two entities connected to Evil Corp, highlighting ongoing efforts to curb their activities.

This crackdown is part of a broader strategy involving the United States and its allies, reflecting heightened international collaboration aimed at combating cyber threats. The operational scope of LockBit has witnessed a notable decline due to intensified law enforcement measures, yet the criminal network remains a pertinent concern for businesses worldwide.

Cybersecurity experts suggest that the tactics employed by LockBit in their operations align with various techniques outlined in the MITRE ATT&CK framework. These include initial access strategies, such as phishing or exploitation of vulnerabilities, designed to infiltrate targeted systems. Once inside, attackers often use persistence methods to maintain access, which can also lead to privilege escalation to gain greater control over compromised networks.

As cyber threats continue to evolve, it is imperative for business owners to stay vigilant and informed about the tactics used by adversaries, particularly as ransomware groups increasingly adapt to countermeasures. The recent arrests serve as a stark reminder of the ongoing battle against cybercrime and the importance of robust cybersecurity practices to safeguard sensitive data and operational integrity. In an era where cyber threats loom large, staying informed about these developments and understanding their implications is crucial for businesses looking to protect themselves from potential attacks.

Source link

Related Posts

North Korean Hackers Unleash New KLogEXE and FPSpy Malware in Targeted Assaults

Date: Sep 26, 2024
Category: Cyber Attack / Malware

Cybercriminals linked to North Korea have been detected deploying two new malware variants, KLogEXE and FPSpy. These activities have been connected to the threat group known as Kimsuky, also referred to as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima. “These new samples expand Sparkling Pisces’ already extensive toolkit and highlight the group’s ongoing evolution and enhanced capabilities,” stated Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger. Active since at least 2012, this group has earned the moniker “king of spear-phishing” for its skill in deceiving victims into downloading malware via emails that appear to originate from trusted sources. Unit 42’s investigation into Sparkling Pisces’ infrastructure has revealed the emergence of two new portable executables, KLogEXE and FPSpy. “These malware strains are known to be…

New HTML Smuggling Scheme Distributes DCRat Malware to Russian-Speaking Users

On September 27, 2024

GenAI / Cybercrime

A recent campaign is specifically targeting Russian-speaking users by spreading the DCRat malware (also known as DarkCrystal RAT) through a method known as HTML smuggling. This marks the first instance of this malware being delivered via this technique, shifting away from traditional methods such as compromised websites or phishing emails that included malicious PDF attachments or Excel documents with macros. “HTML smuggling serves primarily as a means of delivering the payload,” explained Netskope researcher Nikhil Hegde in an analysis released Thursday. “The payload can either be embedded directly within the HTML or fetched from an external source.” The HTML files can be distributed via fake websites or malicious spam emails. When victims open the file in their web browser, the hidden payload is decoded and downloaded to their system. The success of this attack relies significantly on social engineering tactics to persuade the victim to execute the file.

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.