Chainalysis .- On February 20, 2024, the UK National Crime Agency (NCA), together with the US Department of Justice (DOJ), announced the arrest of Lockbit, which has been one of the most prolific ransomware-as-a-service (RaaS) groups, operating over the past few years.
In this operation, the NCA, the FBI and international law enforcement partners worked together to seize public servers and websites that were integral to Lockbit's operations, and obtained decryption keys for Lockbit victims to recover. your data without paying a ransom.
The Justice Department also announced charges against Artur Sungatov and Ivan Kondratyev, two Russian nationals accused of acting as affiliates of Lockbit RaaS and using the strain in ransomware attacks.
Additionally, OFAC sanctioned both individuals for their ransomware activities and included ten cryptocurrency addresses in total as SDN List identifiers. These actions follow the May 2023 indictment and sanction of Lockbit-affiliated ransomware developer Mikhail Matveev.
We are proud to share that NCA used Chainalysis tools to conduct this research. Below, we'll talk more about the unique position Lockbit occupied within the ransomware ecosystem and why this action was important.
Lockbit was one of the most used RaaS strains
According to the Department of Justice, Lockbit targeted more than 2,000 victims and earned more than $120 million in revenue. Our data shows that Lockbit's prominence within the ransomware ecosystem grew rapidly over time.
Additionally, Lockbit was among the most resilient strains in the ransomware ecosystem since the launch of RaaS and remained active longer than most other strains.
As a RaaS strain, the Lockbit malware was available for rent by other cybercriminals known as affiliates to launch their own ransomware attacks in exchange for a share of the revenue from those attacks.
Our data suggests that Lockbit was one of the most prolific and widely used RaaS strains in operation, with potentially hundreds of affiliates, including many associated with other prominent strains.
Lockbit's willingness to serve so many members may be one reason for the chaos researchers have observed within the group, such as the group's continued attacks on hospitals even after top administrators promised to stop attacking healthcare providers. medical care, and an incident in which Lockbit administrators publicly refused to pay an affiliate for an attack.
These incidents and the apparent inability to coordinate may be the result of a lack of vetting of members.
At times, Lockbit administrators performed publicity stunts whose value seems questionable compared to the risk they pose to the group's operational security.
For example, in 2022, a Lockbit administrator known by the online handle LockBitSupp announced that he would pay $1,000 to anyone who got a tattoo of the Lockbit logo.
Analysis of LockBitSupp's on-chain activity during this period suggests that, surprisingly, many took up the offer. We can see some of these payouts in the Chainalysis reactor chart below.
Suffice it to say that admin behavior like this and the seemingly low bar for affiliate access to Lockbit do not paint the group as the most professional in the ransomware ecosystem.
Lockbit and sanctions risk
Even before the recent sanctions explicitly targeting Lockbit affiliates, the strain's low barrier to entry made RaaS an attractive cover for threat actors to confuse its ties with sanctions.
For example, in June 2022, cybersecurity company Mandiant published research suggesting that Russian ransomware gang Evil Corp had begun using Lockbit. Mandiant positioned this as likely an effort by Evil Corp to disguise itself, as at the time Evil Corp's own connection to sanctioned Russian entities was decreasing its victims' willingness to pay ransoms; You can read our previous research on ransomware strain rebranding to learn more about it. this practice.
On-chain data confirms the connection between Lockbit and Evil Corp, as we see in the reactor chart below.
Here, we see Lockbit and two other strains that have been identified as Evil Corp rebrands sending funds to the same exchange deposit address.
Similarly, we also see on-chain evidence of Lockbit affiliates working with an Iranian ransomware strain and depositing on an Iranian exchange, suggesting that the Lockbit affiliate in the photo is likely Iranian. Iran is, of course, one of the most sanctioned jurisdictions in the world. .
Finally, blockchain analysis also shows that a Lockbit administrator also donated cryptocurrency to a self-proclaimed pro-Russian military journalist based in Sevastopol known as Colonel Cassad.
Through social media, Colonel Cassad has solicited donations for the operations of Russian militia groups in the sanctioned jurisdictions of Donetsk and Luhansk, as we identified at the beginning of the Russian war against Ukraine.
Talos cybersecurity researchers have previously written about links between Colonel Cassad and the Russian state hacking unit Fancy Bear, which has been sanctioned by the EU.
OFAC points to ten cryptocurrency addresses in sanctions against Lockbit affiliates Artur Sungatov and Ivan Kondratyev
In its SDN List entries for Lockbit affiliates Ivan Kondratyev and Artur Sungatov, OFAC included a total of ten cryptocurrency addresses controlled by the two individuals
Authorities have eliminated a major player in ransomware
These police actions represent a major victory in the fight against ransomware. As we have previously explored, Lockbit was one of the most prolific strains operating for several years - taking down its infrastructure and obtaining decryption keys will save many organizations from damaging ransomware attacks. We congratulate all the agencies involved.
