According to the authorities, Europol, the FBI and the British NCA have dismantled the APT group LockBit. At least it has all darknet leak sites under control and is probably already distributing decryption tools. The authorities even used the system of leak sites to distribute information and tools.
It sounds too good to be true: A global network of authorities such as the FBI, Eruopol, NCA and many more have succeeded in striking a significant blow against the APT group LockBit. Officially, the group's network has been dismantled, the servers taken over, source codes and documents confiscated and even all leak sites taken over. According to a report from the British National Crime Agency (NCA). The NCA has taken control of LockBit's primary management environment, which allowed its partners to create and carry out attacks, as well as the group's publicly accessible leak site on the dark web, where it hosted and shared data previously stolen from victims which had threatened to be published.
Leak sites are now helping victims
🔎 The authorities have not blocked the LockBit leak page on the darknet, but are using it as an information platform (Image: B2B-CS).
Typically, a group's leak pages are simply blocked after the arrest. But that's different now: the website now displays a range of information about LockBit's capabilities and processes. However, the whole thing is supposed to be a help for the victims. There you will find information about contact points, help after payment, decryption keys and links to tools with decryption tools. The transferred page with the information can now be found at this gate address: to the LockBit page (onion address).
Victim data still available despite promise to delete
The authorities have access to the LockBit Group's entire administration system. These are the leak sites and their controls, as well as the chat in which negotiations were held with the victims. The entire data management of the data extracted from victims is also in the hands of the authorities, including the source code of the malware and the affiliate platform for partners of the LockBit Group. One of the most interesting finds is stolen data where the victims had paid the ransom. LockBit had repeatedly promised that the data would be deleted after a payment. But gangsters are gangsters.
Data exfiltration tool and server confiscated
LockBit had a custom data exfiltration tool called Stealbit that was used by partners to steal victim data. Authorities seized this infrastructure from members of the Op Cronos task force located in three countries, and 28 servers belonging to LockBit subsidiaries were also shut down. At the same time, the first people who are said to have worked with LockBit have already been arrested in Poland and Ukraine. According to Europol, 200 Bitcoin accounts have also been frozen.
More at Europol.Europa.eu