In context: The FBI and other domestic and international authorities frequently bust hacking and malware rings. Typically, they start by making arrests then seizing the group's website – usually hosted on the dark web – and shutting it down with a prominent notice on the landing page.
Earlier this year, an international coalition calling itself Cronos and consisting of law enforcement agencies from several countries, including the UK's National Crime Agency (NCA) and the US's Federal Bureau of Investigation, took down the official LockBit ransomware ring's website. It seemed your typical takedown with only a full-screen placard notice proclaiming it seized by the authorities.
On Sunday, in an unusual turn of protocol, one of the websites on the dark web went back online. While it retained LockBit's original formatting, all the thumbnails were related to the bust (below). It included things like law enforcement press releases and inactive links to more information like "Who is LockbitSupp," "What have we learnt," "More LB hackers exposed," and others. Some say authorities are trying to "troll" the gang, but it's hard to tell who is getting the last laugh when LockBit is still in operation (more on that in a minute).
On Monday, the NCA posted on its X account that it would have an official announcement "in 24 hours" (May 7). Whether this will be in the form of a press release or the seized website going active with the authorities' new information is unclear. It will likely do at least a written statement since not everyone can access the dark web.
What is known is that in addition to the website, authorities seized 34 servers spanning Europe, the UK, and the US and obtained the encryption keys to help victims unlock their systems. They also arrested two LockBit members – one in Ukraine and the other in Poland. Law enforcement believes a third gang member is hiding out in Kaliningrad, Russia, with a $10 million bounty on his head. The hackers also lost access to over 200 cryptocurrency wallets holding an unrevealed sum of ransom proceeds.
Official announcement in 24hrs #Cronos
– National Crime Agency (NCA) (@NCA_UK) May 6, 2024
Watch this space pic.twitter.com/ttKd58QVFL
LockBit first emerged in 2019. It has broadened its scope since then to operating a ransomware-as-a-service outfit. LockBit "rents" its ransomware to other hacking groups and individuals, taking a cut of the profits, just like your standard organized crime gang. The operation has become one of the largest ransomware groups in the world, receiving millions of dollars in payoffs over the years.
The gang is so well organized and spread out so broadly that even after the bust in February, LockBit was back in business with a new website within a week. It has a new dark web presence offering the same services – ransomware and data caches. Cybersecurity website VXUG says it contacted someone on LockBit's staff, who claimed Cronos is just "putting on a show."
"I don't understand why they're putting on this little show. They're clearly upset we continue to work," the staffer said.
I guess we'll find out tomorrow what kind of stunt authorities are trying to pull.
Image credit: Yisusdesdel90