One of the world’s biggest criminal hacking gangs woke up on Tuesday to a startling discovery: Law enforcement, after taking over their main website on Monday, were now threatening to reveal their personal details and data about their cybercrime organization.
The group, Lockbit, had become notorious in cybercrime circles for using malicious software called ransomware to digitally extort victims, relying on underground marketing campaigns to boost its profile. At one point, Lockbit had promised $1,000 to anyone who tattooed their logo on themselves, according to cybersecurity researchers.
The group’s ringleader, known by the online moniker “LockbitSupp,” had also become so confident in their own anonymity that, according to Britain’s National Crime Agency (NCA), they had promised $10 million to the first person who could find and unmask them.
The international law enforcement operation, which had posted on the extortion website on Monday that it had taken control, on Tuesday announced it had re-engineered Lockbit’s core online system — mimicking the countdown clock that Lockbit used in extortion attempts and posing its own $10 million challenge, according to a review of Lockbit’s darkweb site.
The core online system was re-engineered to target the hackers in the same way they had terrorized victims: with an advent calendar-like series of tiles, each marked with a countdown timer that, upon reaching zero, published stolen data.
Across the website’s front page, where victim names once stood, law enforcement agencies replaced the text and links with internal data obtained by hacking the hackers themselves.
The resulting display was a smorgasbord of law enforcement action against Lockbit which included indictments, sanctions, a tool with which victims can decrypt their data, and a new countdown with two days left on the clock which asked: “Who is LockbitSupp? The $10 million question.”
Before it was taken down, Lockbit’s website had displayed an ever-growing gallery of victim organizations that was updated nearly daily. Next to the names were digital clocks showing the number of days left to the deadline given to each organization to provide ransom payment.
The unique law enforcement operation was the result of a years-long investigation by international police agencies and was designed to undermine the group’s credibility in the criminal underground, officials said.
“Lockbit’s affiliates should be very concerned right now, especially as law enforcement continues to make decryptors available to victims,” said Charles Carmakal, Mandiant Consulting’s chief technology officer.
The United States has charged two Russian nationals with deploying Lockbit ransomware against companies and groups around the world. Police in Poland and Ukraine made two arrests.
Before it was seized by police, Lockbit was able to extort multiple hacking victims at the same time through its website, which listed breached companies next to the countdown timer.
Once the counter expired, the cybercriminals would often publish caches of stolen data from the victimized company – historically, these exposures included personal private information of customers, medical records, internal billing data and the communications of internal staff, among other things.
These leaks were intended to harm the reputation of victims and put them in legal jeopardy, experts told Reuters, netting Lockbit over $120 million in ransom payments.
On Tuesday, Graeme Biggar, director general of the NCA, told journalists that the true cost, including money spent by organizations and corporations scrambling to regain access to their networks and the impact on business, could amounted to losses totalling billions.
(Reporting by Christopher Bing in Washington and James Pearson in London; editing by Chris Sanders and Leslie Adler)