A conviction between “dark web” mafias brought down the group of cybercriminals who attacked Seville City Hall and thousands of entities |  Technology

A conviction between “dark web” mafias brought down the group of cybercriminals who attacked Seville City Hall and thousands of entities | Technology

A conviction between “dark web” mafias brought down the group of cybercriminals who attacked Seville City Hall and thousands of entities |  Technology

Notification of police intervention on the LockBit access page following the international action against the kidnapping and extortion group last February.DOCUMENT (via REUTERS)

There Dark web, the dark network hidden from search engines, which hides the IP (identity of the devices with which we work) and accessible only through specific browsers, is not a world without rules, although it is the platform of computer criminal activities, pedophilia, human trafficking. or illegal sale of weapons and drugs. Like all mafias, they have their rules and violating them results in sanctions. The violation of one of these laws, that on the distribution of money obtained through extortion, brought down LockBit, the largest kidnapping and blackmail organization. Among the many crimes attributed since its detection in 2019, it shut down the websites of Seville City Hall, the Port of Lisbon, the California Budget Office, a children’s hospital in Toronto and thousands of businesses. The international police operation against this plot, which resulted in two arrests in Eastern Europe, was possible after his conviction in criminal society. The criminal group is now trying to reappear.

There National Crime Agency (NCA) of the United Kingdom announced on February 20 that it had “taken control of LockBit services” after infiltrating the mafia network in an operation called Kronos. In coordination with Europol, two people were arrested in Poland and Ukraine and 200 cryptocurrency accounts were confiscated. Four other alleged bad actors have been charged in the United States.

“This investigation against the world’s most damaging cybercrime group demonstrates that no criminal operation, wherever it takes place and no matter how advanced, is beyond the reach of the agency and our partners . We have pirate to the Pirates (hackers); took control of their infrastructure, obtained their source code and decrypted the keys that will help victims decrypt their systems. As of today (February 20), LockBit is blocked,” said NCA Director Graeme Biggar.

The director of the United States Federal Investigation Agency (FBI) shares the euphoria: “The FBI and our partners have succeeded in disrupting the LockBit criminal ecosystem, which represents one of the variants of Ransomware (extortion for hijacking of computer systems) the most prolific in the world.

Sergey Shaykevich, director of the Check Point Threat Group.CP

But this international police operation marks the end of a process already started in Dark web and this was the first trigger for the dismantling of the criminal team. As described by Sergey Shaykevich, director of the Check Point Threat Group during a multinational meeting in Vienna (CPX), the root of the downfall was a dispute over extortion profits that was settled in a trial between criminals and an unsuccessful appeal that led to a disappearance conviction. “LockBit has been blocked on the forums (from Dark web) then fell. “It’s a double whammy,” he sums up.

LockBit and other similar organizations use Ransomware as a service (RaaS). According to the security company Kasperskyare programs accessible via the Dark web, like the usual applications of classic or clean web work environments. “Interested parties leave a deposit to use the subscribed programs. “Ransom payments are shared between the LockBit developer team and the attackers, who receive up to three-quarters of the extortion a week later if the objectives have been met.”

Shaykevich reports that the dispute that gave rise to the lawsuit against LockBit amounted to 20 million euros. “The reputation in Ransomware This is the most important thing,” comments Check Point’s threat manager to explain how a disagreement between criminals led to the downfall of a cybercrime giant.

One of the latest victims of the group was the Seville City Council, from which LockBit demanded more than one and a half million euros for the recovery of municipal computer systems last September. Digital Transformation Advisor Juan Bueno said after the kidnapping that the attackers were “of Dutch origin.”

The event and the first attribution of the councilor, taken up by numerous media, showed that the Town Hall lacked the necessary protection and that the person responsible for Digital Transformation was unaware of LockBit, “the organization of Ransomware the most prolific in the world,” according to British Home Secretary James Cleverly.

“From Holland? No no no. Most are based in Russia. The two people arrested in Poland and Ukraine are not the key members who are in Russia,” explains Shaykevitch.

This fake Dutch origin referred to the location of the last server where the email containing the malicious link that led to the kidnapping originated. These computer systems for data traffic, in the the dark web, They are used for successive encryption which prevents tracking. According to the ANC, the operation Kronos This led to the takedown of 28 LockBit servers.

A possible revival

However, the dark internet trial and the subsequent international police operation do not imply the end of the entire LockBit infrastructure, which aspires to continue in the kidnapping and extortion market as they represent, according to estimates from Shaykevich, more than 200 million. euros of income each year.

An alleged leader of the group said in a statement that the police intervention was possible due to a “vulnerability in the PHP programming language.” This name refers to the open source Hypertext Preprocessor system, common in web page development. “All other servers with backup blogs that do not have PHP installed have not been affected and will continue to provide stolen data to the attacked companies,” the alleged statement reads in English and Russian. pirate.

Security companies have already detected these attempts at recomposition, but are questioning the viability of continuing under the same name after the criminal reputation crisis generated by the conflict in the Dark web and after showing a vulnerability exploited by international police. “Until people are arrested, they will most likely change and build a new organization with a new name. But the step that has been taken is important and shows that the police work and that we can be punished,” explains Shaykevitch.

Christopher Asher Wray, director of the FBI, agrees: “This operation (Kronos) demonstrates both our ability and commitment to defending cybersecurity against any malicious actor seeking to impact the way we live. “We will continue to work with our domestic and international allies to identify, thwart and deter cyber threats, and to hold their perpetrators accountable. »

You can follow EL PAÍS Technology In Facebook And X or sign up here to receive our weekly newsletter.

Subscribe to continue reading

Read without limits