Fall of LockBit, the Russian ransomware giant

THE sudden fall of a ransomware supplier once described as the world's most harmful cybercrime group has raised questions about Moscow's role in its development and the fate of its founder.
LockBit supplied ransomware to a global network of hackers, who used the services in recent years to attacks thousands of targets worldwide and rake in tens of millions of dollars.
Ransomware is a type of malicious software, or malware, that steals data and prevents a user from accessing computer files or networks until a ransom is paid for their return.
LockBit supplied a worldwide network of hackers with the tools and infrastructure to carry out attacks, communicate with victims, store the stolen information and launder cryptocurrencies.
According to the United States State Department, between 2020 and early 2024 LockBit ransomware carried out attacks on more than 2,500 victims around the world.
It issued ransom demands worth hundreds of millions of dollars and received at least US$150 million in actual ransom payments made in the form of digital currency.
But LockBit was dealt its first devastating blow in February 2024 when the British National Crime Agency (NCA), working with the US Federal Bureau of Investigation and other nations, announced it had infiltrated the group's network and took control of its services.
Later that year, the NCA announced it had identified LockBit's leader as a Russian named Dmitry Khoroshev (alias LockBitSupp).
Lockbit, which the NCA said was "once the world's most harmful cybercrime group", sought to adapt by using different sites.
But earlier this year, it suffered an even more devastating breach and received a taste of its own medicine.
Its systems were hacked and some of its data stolen in an attack whose origins were mysterious and has, unusually in the cybercrime world, never been claimed.
"Don't do crime. Crime is bad. Xoxo from Prague," said a cryptic message written on the website it had been using.
"Lockbit was No. 1. It was in survival mode and took another hit" with the leak, said Vincent Hinderer, Cyber Threat Intelligence team manager with Orange Cyberdefense.
"Not all members of the group have been arrested. Other, less experienced cybercriminals may join," he added.
A French cyberdefence official, who asked not to be named, said the fall of LockBit in no way represented the end of cybercrime.
"You can draw a parallel with counterterrorism. You cut off one head and others grow back."
The balance of power also shifts fast.
Other groups are replacing LockBit, which analysts said was responsible in 2023 for 44 percent of ransomware attacks worldwide.
"Some groups achieve a dominant position and then fall into disuse because they quit on their own, are challenged or there's a breakdown in trust that causes them to lose their partners," said Hinderer.
"Conti was the leader, then LockBit, then RansomHub. Today, other groups are regaining leadership. Groups that were in the top five or top 10 are rising, while others are falling."
In a strange twist, the LockBit data leak revealed that one of its affiliates had attacked a Russian town of 50,000 inhabitants.
LockBit immediately offered the town decryption software — an antidote to the poison.
But it did not work, said the French official.
"It was reported to the FSB (security service), who quietly resolved the problem."
One thing appears to be clear — the field is dominated by the Russian-speaking world.
Among the top 10 cybercrime service providers, "there are two Chinese groups", said a senior executive working on cybercrime in the private sector.
"All the others are Russian-speaking, most of them still physically located in Russia or its satellites," said the executive, who also requested anonymity.
"We can't say the groups are sponsored by the Russian state but the impunity they enjoy are enough to make it complicit," argued the French official, pointing to a "porosity" between the groups and the security services.
The whereabouts and status of Khoroshev are also a mystery.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

The Star

3 hours ago

• The Star

Extradition hearing for Indonesian businessman Tannos begins in Singapore

Indonesian Paulus Tannos, also known as Tjhin Thian Po, was arrested in Singapore on Jan 17. - SCREENGRAB FROM SINGAPORE: A court hearing is taking place here that will determine whether an Indonesian businessman in a high-profile corruption case will be extradited to his home country. The hearing on Monday (June 23) regarding Paulus Tannos, also known as Tjhin Thian Po, is Singapore's first such proceeding under its extradition treaty with Indonesia. Tannos has been implicated in a major graft scandal involving the Indonesian government's issuing of electronic ID card – known as e-KTP – allegedly causing state losses of about 2.3 trillion rupiah (S$187 million). The Indonesian fugitive, who is believed to have been living in Singapore since 2017, faces one charge of corruption under Indonesia law which is punishable with a maximum sentence of life imprisonment. The crux of the hearing is to determine whether there is enough evidence to support the corruption charge Tannos is facing, so he can be sent back to Indonesia. In extradition hearings, the State does not have to prove the fugitive's guilt or secure a conviction. It only has to show that there is enough evidence for the fugitive to face trial if his acts had taken place in Singapore. Delivering the State's opening statement, Deputy Solicitor-General Vincent Leow said the State would rely on evidence submitted by Indonesian authorities. Tannos was the president and director of technology company PT Sandipala Arthaputra, which was a member of the PNRI Consortium – a grouping of companies that won the e-KTP tender in 2011. DSG Leow said under the alleged corruption scheme, the consortium paid 'commitment fees' to officials of the Ministry of Home Affairs of Indonesia (MOHA), which was responsible for the e-KTP tender. Bribes were also allegedly given to members of the House of Representatives of Indonesia, otherwise known as DPR-RI, who appropriated and allocated the government's budget for the project. The gratification amounted to 10 per cent of the total project value, split equally amongst MOHA officials and DPR-RI. According to Indonesian authorities, Tannos eventually paid US$530,000 to a MOHA officer and approximately US$3,799,842 to former Indonesian politician Setya Novanto through the latter's associate. 'The Indonesian authorities' position is that the payment of these 'commitment fees' resulted in the manipulation of the decision-making process regarding the e-KTP project and tender, and that the PNRI Consortium won the tender through unlawful methods,' said DSG Leow. Chief Special Investigator Alvin Tang of the Corrupt Practices Investigation Bureau (CPIB) – the State's only witness – took the stand to give evidence on how he arrested Tannos and brought him to the State Courts. Meanwhile, Tannos' defence lawyer Bachoo Mohan Singh argued that there were about 100 pages in the formal extradition request that were added after the stipulated deadline, and should hence be thrown out. Tannos' other defence lawyer, Suang Wijaya, also objected to the admission of documents prepared by Indonesian authorities as he said they were not 'duly authenticated'. For example, an English document said to be the translation of Tannos' arrest warrant did not have a stamp with official authorisation, said Mr Wijaya. The hearing continues till June 25. Tannos has reportedly been on Indonesia's fugitive list since Oct 19, 2021. He was arrested on Jan 17 by CPIB, and Indonesia put in a formal extradition request on Feb 24. The extradition treaty between Singapore and Indonesia took effect on March 21, 2024. It grants extradition for a list of offences, including corruption, money laundering and bribery, and can be retrospectively applied to crimes committed up to 18 years ago. - The Straits Times/ANN

The Star

4 hours ago

• The Star

High Court stays freeze order on Na'imah's assets

KUALA LUMPUR: The High Court here has granted a stay on an ex-parte forfeiture order obtained by the Malaysian Anti-Corruption Commission (MACC) earlier this month in its bid to freeze £132mil (RM758.2mil) worth of assets in London belonging to Toh Puan Na'imah Khalid and her family. Justice Azhar Abdul Hamid said the order was stayed pending an application by Na'imah, who is seeking to intervene in the MACC's notice of motion. ALSO READ: Daim's widow to challenge London asset freeze order "This application (to be an intervener) should be heard inter parte. "The application should be filed and served within 14 days. At the same time, the order dated June 3 is stayed," Justice Azhar said on Monday (June 23). The court fixed July 9 to hear the application to intervene. On June 3, the same court had granted the MACC an order to freeze the assets in London belonging to Na'imah, who is the wife of the late former finance minister Tun Daim Zainuddin. The assets include two commercial buildings, five luxury residences and one bank account. ALSO READ: Dismissal of Na'imah's application a miscarriage of justice, court told According to the MACC, investigations indicated that the assets were linked to suspected offences under Section 4(1) of the Anti-Money Laundering, Anti-Terrorism Financing and Proceeds of Unlawful Activities Act (AMLATFPUAA) 2001. It said the freeze was part of ongoing efforts to trace and recover assets believed to be connected to unlawful activity. At a separate High Court, Justice K. Muniandy fixed Aug 1 to hear Na'imah's application to intervene in another ex-parte notice of motion filed by the MACC. The MACC had sought to obtain an ex-parte court order under Section 53 of the AMLATFPUAA to forfeit more than RM544mil in US dollars and pound sterling. ALSO READ: Lawyers for Daim's widow to challenge MACC's seizure of Ilham Tower in court DPP Wan Nur Iman Wan Ahmad Afzal told the court that the monies, which were investments locked in 12 bank accounts in Singapore, belonged to Na'imah, her family and her associates. "An investigation has been carried out by the Inland Revenue Board (LHDN). Based on preliminary investigation, we believe the assets owned by Na'imah and her associates had never been declared (to the LHDN). "We say that the assets must be frozen before (they are) disposed of," she said in her oral application. Meanwhile, Na'imah's lawyer Datuk Dr Gurdial Singh Nijar said he was "perplexed and disappointed" over the application as the MACC had never mention any respondent's name in its filing. "The order isn't just against the property but also against the person. This application cannot proceed as an ex parte. It has to proceed as an inter parte. I seek that this court make no order (on the freeze) until an inter parte application is heard," he said. Justice Muniandy then ruled that the application to intervene would be heard inter parte and fixed Aug 1 for hearing.

The Sun

5 hours ago

• The Sun

Paul Pogba Eyes Monaco Move After Doping Ban Ends

FORMER France midfielder Paul Pogba, who wants to resume his career after a doping ban, said on French television on Sunday he is 'talking' with a club, which sources close to him said was Monaco. The 32-year-old also said he had re-established contact with his brother Mathias, sentenced to a year in prison last December for his involvement in a plot to extort 13 million euros ($15 million) from the 2018 World Cup winner. Pogba, who played for Manchester United and Juventus, is hoping to put three chaotic years behind him. Pogba suffered through repeated injuries and patchy form that led to his departure from United in 2022. He returned for a second stint at Juventus, where his problems continued. He failed a drugs test after a game in Italy in August 2023 and was handed a four-year doping ban, which was reduced 18 months on appeal. It ended in March. 'It was very, very hard,' he said. He said he was 'talking' to a club, which multiple sources said was Ligue 1 Monaco. Pogba said he was determined 'to get back on the pitch, mentally ready, physically ready, it's just a matter of time'. The extortion case involving six men linked to Paul Pogba shocked France because the perpetrators included three childhood friends and his own brother. The five other defendants were found guilty of extortion, kidnapping and detention, as well as participation in a criminal association, and sentenced to up to eight years in prison. All six were also fined. Paul Pogba said he was talking to Mathias who is being allowed to serve his sentence wearing an electronic bracelet rather than behind bars. 'We are in contact. We've spoken, among ourselves, with the family,' Paul Pogba said. 'It's a blood bond. There was a scar, of course. We're moving forward. Only time can give us answers.' 'All we want is to always be united as a family. That's the most important thing. It's hard. Of course it's very hard, I'm not going to lie. I was hurt. It's not the same as before, but we're in touch,' he added. Paul Pogba was held at gunpoint in 2022 by two hooded men who demanded money. He said on Sunday that he was initially willing to pay but 'afterwards, I cracked,' he said, deciding 'to speak out, even if it meant dying' and refusing 'to throw away my money like that'. He said the ban and the court case had changed him 'I learned a lot during this period,' Pogba said. 'I did a lot of cleaning around myself too. I am also much closer to my family, my children.'