More LockBit Hackers Arrested

More LockBit hackers arrested, unmasked as law enforcement seizes servers. Previously seized LockBit websites have been used to announce more arrests, charges and infrastructure disruptions. Law enforcement on Tuesday used the previously seized websites of the LockBit ransomware group to announce more arrests and infrastructure disruptions.

Recent collaborative efforts by Europol, the U.S., and the UK have led to significant developments in the fight against cybercrime, particularly against the notorious LockBit ransomware group. These actions include arrests and the seizure of critical infrastructure, signaling a robust response to this ongoing threat.

Key Arrests and Actions

Europol announced a series of law enforcement actions, including the arrest of an alleged LockBit developer at the request of France while he was on vacation outside of Russia. In the UK, two individuals were arrested for their involvement in supporting a LockBit affiliate.

In Spain, authorities apprehended the alleged administrator of a bulletproof hosting service that facilitated LockBit operations, allowing them to seize nine servers integral to the group’s infrastructure. This suspect is considered a significant contributor to LockBit’s operations, and the intelligence gathered from this arrest is expected to aid in prosecuting key members of the cybercrime organization.

Unmasking Key Figures

One of the most noteworthy developments is the identification of Aleksandr Viktorovich Ryzhenkov, a 31-year-old Russian national. Authorities claim Ryzhenkov is not only affiliated with LockBit but is also a member of Evil Corp, a well-known cybercrime organization linked to various cyberespionage activities on behalf of the Russian government.

Ryzhenkov, operating under the alias “Beverley,” allegedly created over 60 ransomware builds and sought to extort at least $100 million in ransom. The U.S. Justice Department has charged him, but not specifically for LockBit-related offenses—rather, he faces charges related to the BitPaymer ransomware attacks.

Sanctions Against Cybercriminals

The U.S., UK, and Australia have imposed sanctions on Ryzhenkov and 15 other alleged members of Evil Corp. Among those targeted is Maksim Yakubets, purportedly the leader of Evil Corp, who is also wanted with a $5 million bounty on his head. Authorities describe Ryzhenkov as Yakubets’ right-hand man.

Impact of Law Enforcement Operations

LockBit’s operations have reportedly affected over 2,500 entities across more than 120 countries. In February 2024, law enforcement agencies announced that LockBit’s activities had been significantly disrupted as part of Operation Cronos, which included server seizures and arrests.

The UK’s National Crime Agency (NCA) took over the Tor domains previously used by LockBit to leak victim data and used them to communicate about the operation’s success.

Identifying the Mastermind

In early May, investigators revealed the identity of Dimitry Yuryevich Khoroshev, believed to be the LockBit administrator known as LockBitSupp. Khoroshev has been accused of creating and managing the LockBit ransomware, allegedly earning over $100 million from affiliate activities. A reward of up to $10 million has been offered for information leading to his capture.

Since then, two LockBit affiliates have been charged and pleaded guilty in the U.S.

Ongoing Threat and Recent Activity

Despite these law enforcement actions, LockBit has continued to conduct attacks, quickly establishing new leak websites and targeting organizations. In May, it once again emerged as the most active ransomware operation, although experts remain divided on whether this reflects a genuine uptick in activity or a strategy to obscure the group’s weakened state.

However, reports indicate a notable decrease in LockBit’s claimed attacks during the summer months. Their announcements have dwindled, with a particularly notable incident in June where they claimed to have hacked the U.S. Federal Reserve, yet the leaked data was linked to a much smaller financial services firm.

Current Status

As of September 30, LockBit’s leak websites appeared to be offline, though some returned later without updates since late May. The NCA’s recent post titled “The Demise of LockBit since February 2024” confirms the effectiveness of law enforcement actions, stating that the group has lost affiliates and struggled to maintain its operations.

The NCA emphasized, “LockBit’s reputation has been tarnished by the Operation Cronos disruption,” and noted that their attempts to recover have been significantly undermined. The financial repercussions of these actions have affected not only Khoroshev but also the wider network of affiliated cybercriminals.

Conclusion

The crackdown on LockBit represents a significant victory in the ongoing battle against cybercrime. As law enforcement continues to coordinate international efforts, the impacts of these actions are likely to resonate throughout the cybercriminal landscape.