Total Tests:
Blog Filters reset x
By Incident
By Jurisdiction
Show More

Global Police Op Deals A Major Blow To LockBit Ransomware Syndicate

Read also: Zeus kingpin pleads guilty, the Medibank hacker arrested, and more.

Thursday, February 22, 2024
Views: 7.4k Read Time: 4 min.

Global Police Op Deals A Major Blow To LockBit Ransomware Syndicate

LockBit ransomware op dismantled, servers seized, members arrested

The notorious LockBit ransomware operation responsible for billions of euros in damages has been disrupted by a major police operation, involving law enforcement agencies from 10 countries.

As part of the multinational effort dubbed ‘Operation Cronos,’ several alleged LockBit affiliates were arrested in Ukraine and Poland, 34 LockBit servers were seized, and more than 14,000 online and web hosting accounts utilized in past LockBit attacks were identified and closed. Furthermore, authorities froze over 200 cryptocurrency accounts linked to the LockBit enterprise.

The UK's National Crime Agency (NCA) spearheaded the operation, seizing control of LockBit's technical infrastructure, including its leak site used for hosting stolen data from victims of ransomware attacks. Additionally, over 1,000 decryption keys were obtained, which allowed law enforcement agencies to develop a decryption tool available through Europol’s “NoMoreRansom” portal.

The US authorities unsealed an indictment against two Russian nationals, Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, for their alleged roles in deploying LockBit ransomware against numerous victims. Additionally, Kondratyev faces charges related to operating the REvil/Sodinikibi ransomware. Both individuals have been sanctioned by the US Department of Treasury's Office of Foreign Assets Control. In addition, the US State Department announced a reward of up to $10 million for information on LockBit’s leaders and up to $5 for tips leading to the arrests and/or conviction of Lockbit’s affiliates.

ImmuniWeb can help prevent data breaches and meet regulatory requirements.
Request your free demo now and talk to our experts.

Kingpin behind Zeus, IcedID malware operations pleads guilty in the US

A Ukrainian national has pleaded guilty to his involvement in two separate malware schemes, which resulted in financial losses amounting to tens of millions of dollars. Vyacheslav Penchukov, aka Vyacheslav Igoravich Andreev and Tank, was allegedly behind two prolific malware groups operating the Zeus and IcedID malware.

The Zeus scheme involved cybrcriminals infecting victims’ computers with malware, which allowed them to pilfer sensitive information, including bank account details, passwords, and personal identification numbers for online banking. By posing as authorized personnel, Penchukov and his associates manipulated banks into facilitating unauthorized transfers.

From at least November 2018 through February 2021, Penchukov was allegedly involved in a conspiracy that infected victim computers with IcedID or Bokbot malware also designed to steal confidential information from victims. IcedID also served as a downloader for other malicious software, such as ransomware.

Penchukov was arrested in Switzerland in 2022 and extradited to the United States in 2023. In his plea agreement, Penchukov confessed to one count of conspiracy to commit a racketeer-influenced and corrupt organizations (RICO) act offense for his involvement in the Zeus enterprise. Additionally, he pleaded guilty to one count of conspiracy to commit wire fraud for his leadership in the IcedID malware group. Penchukov awaits sentencing scheduled for May 9. He faces a maximum penalty of 20 years in prison for each count.

Raccoon Malware-as-a-Service operator extradited to the US from the Netherlands

Mark Sokolovsky, a 28-year-old Ukrainian national, has been extradited to the United States from the Netherlands to face charges in connection with a cybercrime scheme involving the notorious Raccoon Infostealer malware. Sokolovsky was indicted in the US for fraud, money laundering, and aggravated identity theft.

Sokolovsky is accused of operating the Raccoon Infostealer as a malware-as-a-service (MaaS) platform. The service rented access to the malware for approximately $200 per month, with payments made in cryptocurrency.

Once installed onto the computer, the malware would harvest sensitive personal data, such as login credentials and financial information, which could then be used for financial crimes or sold on cybercrime forums.

Sokolovsky was arrested in March 2022 in Denmark. His arrest coincided with a coordinated law enforcement takedown of the digital infrastructure supporting the Raccoon Infostealer. He appeared in court for an initial hearing on February 9, 2024, and is currently being held in custody pending trial.

Russia dismantles the SugarLocker ransomware gang, detains an alleged Medibank hacker

The Russian authorities identified and detained members of the cybercriminal extortion group SugarLocker. The perpetrators operated under the guise of a legitimate IT firm, offering services for the development of landing pages, mobile applications, and online stores.

The ransomware program SugarLocker (aka Encoded01) first emerged in 2021, and was offered as ransomware-as-a-service. The hackers attacked targets through networks and RDP (Remote Desktop Protocol), and, as is common with Russia-linked ransomware gangs, they did not operate in CIS countries.

During the investigation, several suspects were identified, who not only promoted their encryptor but also developed malware, created phishing websites for online stores, and directed user traffic to popular fraudulent schemes in Russia and the CIS.

In January 2024, three alleged SugarLocker members were apprehended, including an individual known under the monikers “blade_runner”, “GistaveDore”, “GustaveDore”, “JimJones.” The same aliases were used by Aleksandr Ermakov, a Russian national sanctioned by the Australian government for orchestrating the 2022 Medibank hack, which exposed the personal data of nearly 10 million Australians.

ImmuniWeb Newsletter

Get exclusive updates and invitations to our events and webinars:

Private and Confidential Your data will stay private and confidential

AstroStress admin faces charges in the US

Scott Esparza, known online as “Hazard,” has been charged by the US authorities for his alleged involvement in the operation of the notorious DDoS-for-hire platform “AstroStress,” which was dismantled in December 2022.

Esparza is accused of running the Astrostress platform, a service allegedly utilized by thousands of registered users to launch distributed denial of service (DDoS) attacks. One of the victims was the Baltimore County Public Schools network, according to court documents.

Esparza faces charges related to intentionally causing damage to protected computers, maintaining and enhancing the website and services, providing customer support and managing subscriptions, and employing marketing tactics to attract more customers.

Esparza's associate, 19-year-old Shamar Shattock, had previously pleaded guilty in March 2023 for his involvement in operating AstroStress. In other news, Milomir Desnica, a dual Serbian and Croatian citizen, received a 168-month prison sentence for his involvement in running the Monopoly Market, a Dark Web platform for buying and selling illegal narcotics.

What’s next:

Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential