'Kisses from Prague': The fall of a Russian ransomware giant

The sudden fall of a ransomware supplier once described as the world's most harmful cybercrime group has raised questions about Moscow's role in its development and the fate of its founder.
LockBit supplied ransomware to a global network of hackers, who used the services in recent years to attacks thousands of targets worldwide and rake in tens of millions of dollars.
Ransomware is a type of malicious software, or malware, that steals data and prevents a user from accessing computer files or networks until a ransom is paid for their return.
LockBit supplied a worldwide network of hackers with the tools and infrastructure to carry out attacks, communicate with victims, store the stolen information and launder cryptocurrencies.
According to the US State Department, between 2020 and early 2024 LockBit ransomware carried out attacks on more than 2,500 victims around the world.
It issued ransom demands worth hundreds of millions of dollars and received at least $150 million in actual ransom payments made in the form of digital currency.
But LockBit was dealt its first devastating blow in February 2024 when the British National Crime Agency (NCA), working with the US FBI and several other nations, announced it had infiltrated the group's network and took control of its services.
Later that year, the NCA announced it had identified LockBit's leader as a Russian named Dmitry Khoroshev (alias LockBitSupp).
The US State Department said it was offering a reward of up to $10 million for information leading to his arrest.
Lockbit, which the NCA said was "once the world's most harmful cybercrime group", sought to adapt by using different sites.
But earlier this year it suffered an even more devastating breach and received a taste of its own medicine.
Its systems were hacked and some of its data stolen in an attack whose origins were mysterious and has, unusually in the cybercrime world, never been claimed.
"Don't do crime. Crime is bad. Xoxo from Prague," said a cryptic message written on the website it had been using.
- 'Others grow back' -
"Lockbit was number one. It was in survival mode and took another hit" with the leak, said Vincent Hinderer, Cyber Threat Intelligence team manager with Orange Cyberdefense.
"Not all members of the group have been arrested. Other, less experienced cybercriminals may join," he added.
However, observations of online chats, negotiations and virtual currency wallets indicate "attacks with small ransoms, and therefore a relatively low return on investment", he said.
A French cyberdefence official, who asked not to be named, said the fall of LockBit in no way represented the end of cybercrime.
"You can draw a parallel with counterterrorism. You cut off one head and others grow back."
The balance of power also shifts fast.
Other groups are replacing LockBit, which analysts said was responsible in 2023 for 44 percent of ransomware attacks worldwide.
"Some groups achieve a dominant position and then fall into disuse because they quit on their own, are challenged or there's a breakdown in trust that causes them to lose their partners," said Hinderer.
"Conti was the leader, then LockBit, then RansomHub. Today, other groups are regaining leadership. Groups that were in the top five or top 10 are rising, while others are falling."
In a strange twist, the LockBit data leak revealed that one of its affiliates had attacked a Russian town of 50,000 inhabitants.
LockBit immediately offered the town decryption software -- an antidote to the poison.
But it did not work, the French official told AFP.
"It was reported to the FSB (security service), who quietly resolved the problem," the official said.
- 'Complicit' -
One thing appears to be clear -- the field is dominated by the Russian-speaking world.
Among the top 10 cybercrime service providers, "there are two Chinese groups", said a senior executive working on cybercrime in the private sector.
"All the others are Russian-speaking, most of them still physically located in Russia or its satellites," said the executive, who also requested anonymity.
It is harder to ascertain what role the Russian state might play -- a question all the more pertinent since Moscow's 2022 invasion of Ukraine.
"We can't say that the groups are sponsored by the Russian state but the impunity they enjoy are enough to make it complicit," argued the French official, pointing to a "porosity" between the groups and the security services.
The whereabouts and status of Khoroshev are also a mystery.
The bounty notice from the US State Department, which said Khoroshev was aged 32, gives his date of birth and passport number but says his height, weight and eye colour are unknown.
His wanted picture shows an intense man with cropped hair and bulging muscular forearms.
"As long as he doesn't leave Russia, he won't be arrested," said the private sector expert. "(But) we're not sure he's alive."
"The Russian state lets the groups do what they want. It's very happy with this form of continuous harassment," he alleged.
In the past, there was some cooperation between Washington and Moscow over cybercrime but all this changed with the Russian invasion of Ukraine.
French expert Damien Bancal cites the case of Sodinokibi, a hacker group also known as REvil, which was dismantled in January 2022.
"The FBI helped the FSB arrest the group. During the arrests, they found gold bars and their mattresses were stuffed with cash," he said.
But since the invasion of Ukraine, "no-one is cooperating with anyone any more".
Asked if the US has questioned Moscow about Khoroshev after the bounty was placed on his head, Kremlin spokesman Dmitry Peskov said: "Unfortunately, I have no information."
dla-sjw/as

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Yahoo

13 minutes ago

• Yahoo

Ukrainian forces attack oil depot in Russia's Rostov region

(Reuters) -Ukrainian forces on Monday attacked and set ablaze an oil depot in Russia's southern Rostov region used to supply Russian forces in occupied parts of Ukraine, the Ukrainian military said. The General Staff of Ukraine's Armed Forces said the military's special operations units, in conjunction with rocket forces and artillery, had hit the Atlas plant in the Rostov region, not far from Ukraine's eastern border. "A strike by our forces in the area of the target has been confirmed," the General Staff said in a statement on Telegram. "A fire has been observed. The results of the strike are being clarified." The statement said the facility was used to provide fuel and lubricants to Russian units operating in Russian-occupied parts of the Luhansk and Donetsk regions on the war's eastern front. Ukrainian forces have been engaged in cross-border attacks, including energy industry targets, which the General Staff said was aimed at curbing Russia's economic potential to proceed with the more than three-year-old war in Ukraine. Ukrainian military bloggers had earlier reported on the raid on the oil depot, saying fuel tanks had been engulfed in a blaze in the incident.

San Francisco Chronicle​

21 minutes ago

• San Francisco Chronicle​

Dutch government says pro-Russian hackers target municipalities linked to this week's NATO summit

THE HAGUE, Netherlands (AP) — Pro-Russian hackers launched a series of denial-of-service attacks Monday on several municipalities and organizations linked to a NATO summit this week in the Netherlands, the Dutch government announced. The National Cybersecurity Center said in a statement that many of the attacks were claimed by a pro-Russian hackers' group known as NoName057(16) 'and appear to have a pro-Russian ideological motive.' It did not elaborate. The cybersecurity center said it was investigating the attacks that flood a site with data in order to overwhelm it and knock it offline, and was in contact with 'national and international partners.' Raoul Rozestraten, a spokesman for the municipality in The Hague, the Dutch city hosting the summit Tuesday and Wednesday, said the attacks hit municipalities around the country. 'We noticed more traffic on the website of some of our service providers,' he told The Associated Press. 'As of now, everything in The Hague is working normally." The government had launched a major security operation, named 'Orange Shield,' around the NATO summit.

Yahoo

23 minutes ago

• Yahoo

Fifa considers options for Iran at 2026 World Cup after conflict with hosts US

Iran have qualified for their fourth consecutive World Cup but face playing in the US which has imposed a travel ban on their citizens. Iran have qualified for their fourth consecutive World Cup but face playing in the US which has imposed a travel ban on their citizens. Photograph: Abedin Taherkenareh/EPA Fifa is facing new questions over the increasingly fraught World Cup next year, with the issue of how to treat Iran while the country is involved in a conflict with the co-host the US. There are no provisions within Fifa's regulations to prevent Iran from playing their group matches in the US, despite the country being subject to military action by the Trump administration and Iranian citizens being under a travel ban that prevents them from entering the country. The ban contains an exemption that could apply to players, staff or associated families with teams at the 2026 Fifa World Cup. Advertisement Iran, who faced USA in the group stage of the 2022 World Cup in Qatar, qualified in March for their fourth consecutive World Cup. Although 2026 is also being hosted by Canada and Mexico, only by being given a specific slot in group A could Iran avoid playing in the US, with their matches then taking place in Mexico. Related: Fifa again under scrutiny for World Cup's increased carbon footprint If Iran won that group they would stay in Mexico for their last-32 game and any last-16 match. Should they go further – and they have never reached a World Cup knockout game – they would then play in the US. Fifa did not respond on Monday to a request for comment from the Guardian and will likely be considering its options before the World Cup draw, which is due to take place in December. The decision will be a difficult one for its president, Gianni Infantino, who has associated himself closely with President Donald Trump, who authorised the use of US bombs on Iranian nuclear sites last weekend. Advertisement Infantino and the Fifa Council will have the final say on inclusion in the competition and the makeup of the draw, but the organising committee for Fifa competitions will be expected to have input. The committee has members from Canada, Mexico and Iran, and its chair is Uefa's president, Aleksander Ceferin. In 2022, his organisation announced that Ukraine and Belarus would be kept apart in Uefa competition draws, after the Russian invasion of Ukraine, and his action may provide an example for Fifa to follow. Before the World Cup draw in Qatar, the agreed draw constraints included limitations on where teams could be selected but this related only to a 'general principle' that no more than one team from each confederation (excluding Europe) should appear in a given group.