'Kisses from Prague': The fall of a Russian ransomware giant
PARIS: The sudden fall of a ransomware supplier once described as the world's most harmful cybercrime group has raised questions about Moscow's role in its development and the fate of its founder.
LockBit supplied ransomware to a global network of hackers, who used the services in recent years to attacks thousands of targets worldwide and rake in tens of millions of dollars.
Ransomware is a type of malicious software, or malware, that steals data and prevents a user from accessing computer files or networks until a ransom is paid for their return.
LockBit supplied a worldwide network of hackers with the tools and infrastructure to carry out attacks, communicate with victims, store the stolen information and launder cryptocurrencies.
According to the US State Department, between 2020 and early 2024 LockBit ransomware carried out attacks on more than 2,500 victims around the world.
It issued ransom demands worth hundreds of millions of dollars and received at least US$150mil in actual ransom payments made in the form of digital currency.
But LockBit was dealt its first devastating blow in February 2024 when the British National Crime Agency (NCA), working with the US FBI and several other nations, announced it had infiltrated the group's network and took control of its services.
Later that year, the NCA announced it had identified LockBit's leader as a Russian named Dmitry Khoroshev (alias LockBitSupp).
The US State Department said it was offering a reward of up to US$10mil for information leading to his arrest.
Lockbit, which the NCA said was "once the world's most harmful cybercrime group", sought to adapt by using different sites.
But earlier this year it suffered an even more devastating breach and received a taste of its own medicine.
Its systems were hacked and some of its data stolen in an attack whose origins were mysterious and has, unusually in the cybercrime world, never been claimed.
"Don't do crime. Crime is bad. Xoxo from Prague," said a cryptic message written on the website it had been using.
'Others grow back'
"Lockbit was number one. It was in survival mode and took another hit" with the leak, said Vincent Hinderer, Cyber Threat Intelligence team manager with Orange Cyberdefense.
"Not all members of the group have been arrested. Other, less experienced cybercriminals may join," he added.
However, observations of online chats, negotiations and virtual currency wallets indicate "attacks with small ransoms, and therefore a relatively low return on investment", he said.
A French cyberdefence official, who asked not to be named, said the fall of LockBit in no way represented the end of cybercrime.
"You can draw a parallel with counterterrorism. You cut off one head and others grow back."
The balance of power also shifts fast.
Other groups are replacing LockBit, which analysts said was responsible in 2023 for 44% of ransomware attacks worldwide.
"Some groups achieve a dominant position and then fall into disuse because they quit on their own, are challenged or there's a breakdown in trust that causes them to lose their partners," said Hinderer.
"Conti was the leader, then LockBit, then RansomHub. Today, other groups are regaining leadership. Groups that were in the top five or top 10 are rising, while others are falling."
In a strange twist, the LockBit data leak revealed that one of its affiliates had attacked a Russian town of 50,000 inhabitants.
LockBit immediately offered the town decryption software – an antidote to the poison.
But it did not work, the French official told AFP.
"It was reported to the FSB (security service), who quietly resolved the problem," the official said.
'Complicit'
One thing appears to be clear – the field is dominated by the Russian-speaking world.
Among the top 10 cybercrime service providers, "there are two Chinese groups", said a senior executive working on cybercrime in the private sector.
"All the others are Russian-speaking, most of them still physically located in Russia or its satellites," said the executive, who also requested anonymity.
It is harder to ascertain what role the Russian state might play – a question all the more pertinent since Moscow's 2022 invasion of Ukraine.
"We can't say that the groups are sponsored by the Russian state but the impunity they enjoy are enough to make it complicit," argued the French official, pointing to a "porosity" between the groups and the security services.
The whereabouts and status of Khoroshev are also a mystery.
The bounty notice from the US State Department, which said Khoroshev was aged 32, gives his date of birth and passport number but says his height, weight and eye colour are unknown.
His wanted picture shows an intense man with cropped hair and bulging muscular forearms.
"As long as he doesn't leave Russia, he won't be arrested," said the private sector expert. "(But) we're not sure he's alive."
"The Russian state lets the groups do what they want. It's very happy with this form of continuous harassment," he alleged.
In the past, there was some cooperation between Washington and Moscow over cybercrime but all this changed with the Russian invasion of Ukraine.
French expert Damien Bancal cites the case of Sodinokibi, a hacker group also known as REvil, which was dismantled in January 2022.
"The FBI helped the FSB arrest the group. During the arrests, they found gold bars and their mattresses were stuffed with cash," he said.
But since the invasion of Ukraine, "no-one is cooperating with anyone any more".
Asked if the US has questioned Moscow about Khoroshev after the bounty was placed on his head, Kremlin spokesman Dmitry Peskov said: "Unfortunately, I have no information." – AFP
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The Star
5 hours ago
- The Star
Hong Kong DSE documentary star gets probation after second theft offence
A Hong Kong student who starred in a popular web documentary about secondary school public exams has been placed on probation after a court agreed to give him 'one last chance' following his second shoplifting offence in a year. Eastern Court accepted a probation officer's recommendation and handed Tang Ngai-hong a 12-month probation order on Thursday after he pleaded guilty to theft earlier this month. The 19-year-old admitted stealing a bag of fruit and two packets of potato chips worth a total of HK$61.80 (US$7.87) from the Fresh supermarket at Kornhill Plaza North in Quarry Bay on January 5. The offence took place just five months after Tang was fined HK$3,000 for stealing nearly HK$700 worth of food items from the Kowloon Bay branch of Japanese discount chain store Don Don Donki on May 8, 2024. Acting Principal Magistrate David Cheung Chi-wai said he would give Tang 'one last chance' given his timely plea. The defendant must maintain the peace and observe an array of conditions, including a requirement to attend psychological counselling sessions. Tang, now a first-year student at the University of Hong Kong School of Professional and Continuing Education, was the main subject of a documentary web series about the Diploma of Secondary Education examination by YouTube channel Trial and Error. The channel with 561,000 subscribers spent more than eight months in 2023 documenting Tang's journey through the university entrance exam. The 10-episode online series received overwhelmingly positive responses, with more than a million views on YouTube. The episodes were later re-edited into a full-length documentary feature titled Once Upon a Time in HKDSE , released in cinemas in July last year. It has raked in more than HK$5 million at the box office. - SOUTH CHINA MORNING POST
New Straits Times
7 hours ago
- New Straits Times
Jeffrey denies report claiming he received RM1.78mil in mining corruption scandal
KOTA KINABALU: STAR president Datuk Seri Dr Jeffrey Kitingan has denied allegations published by a news portal claiming he received RM1.78 million in connection with a mining licence corruption scandal. In a statement issued by the party's information chief, Mohd Anuar Ghani Gilong, Jeffrey, who is also Sabah Deputy Chief Minister, stressed that he has never received any funds related to mining applications or the alleged scandal. "The accusations are a deliberate fabrication orchestrated by desperate political actors seeking to exert undue influence on Sabah politics, a tactic that has been employed since the 1960s," the statement read. Jeffrey also said the party denied any involvement in mining activities, clarifying that it had never applied for any mining licences. "As proponents of the Nature Conservation Agreement (NCA), the party maintains that mining is inherently incompatible with its conservation principles." He added that he and other party members had fully cooperated with the Malaysian Anti-Corruption Commission (MACC), including by providing detailed statements. "This is the price one pays for fighting for Sabah's rights," he said. Jeffrey further stated that previous statements made by the whistleblower had cleared both STAR and Parti Bersatu Sabah of any wrongdoing or receipt of illicit funds. Given the severity of the false and malicious allegations, Jeffrey said he reserves the right to pursue all available legal avenues, including legal action against the news portal responsible for what he described as irresponsible and damaging reporting. "It is anticipated that many more libellous and false accusations will surface leading up to the election.
New Straits Times
7 hours ago
- New Straits Times
Ukraine F-16 pilot killed in large-scale Russian attack, Zelenskiy calls for US help
KYIV/LVIV (Ukraine): A Ukrainian F-16 fighter pilot died in a crash while repelling a Russian air attack that involved hundreds of drones, cruise and ballistic missiles, authorities said today, as Moscow intensifies night-time air barrages in the fourth year of war. President Volodymyr Zelenskiy called for more support from Washington and Western allies to bolster Ukraine's air defences after the attack, which damaged homes and infrastructure across the country and injured at least 12 people, according to local authorities. In Kyiv, families huddled in metro stations for shelter after air raid sirens rung out. Machine-gun fire and explosions were heard across the capital and in the western city of Lviv, where such attacks are less common. The governor of the Lviv region, bordering Poland, said the raid targeted critical infrastructure. Ukraine has now lost three F-16s since it began operating the U.S.-made jets last year. Kyiv has not revealed the size of its F-16 fleet, but they have become a central and heavily used part of Ukraine's defences. The pilot flew the damaged jet away from a settlement but did not have time to eject before it crashed, the Ukrainian Air Force said. "The pilot used all of his onboard weapons and shot down seven air targets. While shooting down the last one, his aircraft was damaged and began to lose altitude," the Air Force said on Telegram. The Ukrainian military said in total Russia launched 477 drones and 60 missiles of various types to Ukraine overnight. Ukrainian forces destroyed 211 of the drones and 38 missiles, it said, while 225 more drones were either lost due to electronic warfare or were decoys that carried no explosives. "Moscow will not stop as long as it has the capability to launch massive strikes," Zelenskiy said on X. He said Russia had launched around 114 missiles, 1,270 drones, and 1,100 glide bombs just in the past week. Russia's state-run RIA Novosti news agency said one person was killed by a Ukrainian drone in the Russian-controlled part of Ukraine's Luhansk region. Both Ukraine and Russia say they do not attack civilian targets. POLITICAL WILL Ukraine says recent attacks highlight the need for further support from Washington, which under President Donald Trump has not committed to new military aid for Ukraine. Trump said he was considering a Ukrainian request for more Patriot missile batteries after he met Zelenskiy at a NATO summit last Wednesday. "This war must be brought to an end - pressure on the aggressor is needed, and so is protection," Zelenskiy said in his X post on Sunday after the attack. "Ukraine needs to strengthen its air defence - the thing that best protects lives." He said Ukraine was ready to buy the American air defence systems and it counts on "leadership, political will, and the support of the United States, Europe, and all our partners." Russia has launched large scale strikes on Ukrainian cities every few days in recent weeks, causing widespread damage, killing dozens of civilians and injuring hundreds more. During the latest barrage, explosions were heard in Kyiv, Lviv, Poltava, Mykolaiv, Dnipropetrovsk, Cherkasy and the Ivano-Frankivsk regions, witnesses and regional governors said. The Ukrainian military said air strikes were recorded in six locations. Eleven people, including two children, were injured in the central Cherkasy region, the governor Ihor Taburets said on Telegram. Three multi-storey buildings and a college were damaged in the attack, he said. One woman was injured in western Ivano-Frankivsk region. Rescuers evacuated residents from apartment blocks with charred walls and broken windows, images released by authorities in Cherkasy showed. Industrial facilities were hit in the southern Ukrainian Mykolaiv and central Dnipropetrovsk regions, officials said. Railway infrastructure was damaged in Poltava city in the centre of the country. - REUTERS
