Charlie Neighborgal/Associated Press
There's an FBI sticker on a wall in Omaha, Nebraska.
CNN
—
The FBI and its international allies have seized a dark website used by the world's most damaging ransomware crime syndicate to blackmail victims, according to messages on the website seen by CNN. .
This is a blow to the immediate operations of the multinational ransomware gang known as LockBit, which is a threat to organizations around the world, including healthcare providers in the United States. Hackers claimed credit for a ransomware attack in November that forced New Jersey-based Capital Health to cancel some patient appointments.
Rockbit also claimed responsibility for ransomware attacks against Industrial and Commercial Bank of China and Fulton County, Georgia in recent months.
“We can confirm that Rockbit's services have been disrupted as a result of the actions of international law enforcement agencies. This is an ongoing and developing operation,” a message posted on the hacker's website on Monday said. , along with the seal of the British Federal Bureau of Investigation, FBI. the Crime Agency (NCA) and numerous other law enforcement agencies from Australia to Germany.
An NCA spokesperson confirmed to CNN that an enforcement operation against Rockvit was underway, adding that the agency would release further details on Tuesday.
An FBI spokesperson told CNN: “A formal announcement and further details will be released in due course.”
Capturing a ransomware group's dark website requires cybercriminals to set up new computer infrastructure in order to blackmail their victims. It could also indicate that law enforcement has access deeper into the hacker's network. In another operation against a ransomware gang announced a year ago, the FBI said it had access to decryption software that saved victims about $130 million in ransom payments.
Analysts believe Rockbit has members and criminal partners in Eastern Europe, Russia and China. Like other cash-stealing ransomware groups, LockBit rents out its ransomware to “affiliated companies” who use malicious code in attacks and receive a cut of the ransoms paid by victims.
Don Smith, vice president of threat research, said LockBit commands a quarter of the ransomware market based on victim information posted online by hackers. At the cybersecurity company Secureworks.
The operation is the latest move in a years-long battle between the FBI and its allies around the world and ransomware gangs, often based in Eastern Europe and Russia.
While arrests and seizures of millions of dollars worth of ransoms have been notable, the ransomware economy continues to thrive.
Cryptocurrency tracking firm Chainalysis estimates that cybercriminals extorted a record $1.1 billion in ransoms from victim organizations around the world last year, despite the U.S. government's blockade of financial flows.
Alan Liska, a ransomware expert at cybersecurity firm Record Future, told CNN: “Key members of the Rockbit group are based in Russia, so it's unlikely they'll be arrested as part of this operation.'' It's very low.”
Nevertheless, the seizure of Rockbit's website by law enforcement “will have a significant, if short-lived, impact on the ransomware ecosystem, meaning attacks will slow down,” Liska said. said.
“Rockbit has also established a reputation as one of the most ruthless ransomware operators, encouraging its affiliates to target hospitals and schools,” he added. “My hope is that these sectors can get some breathing room to build their defenses.”
