gang Archives

The identity of the leader of one of the most infamous ransomware groups in history has finally been revealed.

On Tuesday, a coalition of law enforcement led by the U.K.’s National Crime Agency announced that Russian national, Dmitry Yuryevich Khoroshev, 31, is the person behind the nickname LockBitSupp, the administrator and developer of the LockBit ransomware. The U.S. Department of Justice also announced the indictment of Khoroshev, accusing him of computer crimes, fraud and extortion.

“Today we are going a step further, charging the individual who we allege developed and administered this malicious cyber scheme, which has targeted over 2,000 victims and stolen more than $100 million in ransomware payments,” Attorney General Merrick B. Garland was quoted as saying in the announcement.

According to the DOJ, Khoroshev is from Voronezh, a city in Russia around 300 miles south of Moscow.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey, where Khoroshev was indicted.

The law enforcement coalition announced the identity of LockBitSupp in press releases, as well as on LockBit’s original dark web site, which the authorities seized earlier this year. On the site, the U.S. Department of State announced a reward of $10 million for information that could help the authorities to arrest and convict Khoroshev.

The U.S. government also announced sanctions against Khoroshev, which effectively bars anyone from transacting with him, such as victims paying a ransom. Sanctioning the people behind ransomware makes it more difficult for them to profit from cyberattacks. Violating sanctions, including paying a sanctioned hacker, can result in heavy fines and prosecution.

LockBit has been active since 2020, and, according to the U.S. cybersecurity agency CISA, the group’s ransomware variant was “the most deployed” in 2022.

Europol, which participated in the law enforcement operation, said in a statement that authorities now have over 2,500 decryption keys that can help victims unlock data previously encrypted by the gang.

On Sunday, the law enforcement coalition restored LockBit’s seized dark web site to publish a list of posts that were intended to tease the latest revelations. In February, authorities announced that they took control of LockBit’s site and had replaced the hackers’ posts with their own posts, which included a press release and other information related to what the coalition called “Operation Cronos.”

Shortly after, LockBit appeared to make a return with a new site and a new list of alleged victims, which was being updated as of Monday, according to a security researcher who tracks the group.

For weeks, LockBit’s leader, known as LockBitSupp, had been vocal and public in an attempt to dismiss the law enforcement operation, and to show that LockBit is still active and targeting victims. In March, LockBitSupp gave an interview to news outlet The Record in which they claimed that Operation Cronos and law enforcement’s actions don’t “affect business in any way.”

“I take this as additional advertising and an opportunity to show everyone the strength of my character. I cannot be intimidated. What doesn’t kill you makes you stronger,” LockBitSupp told The Record.

Software Development in Sri Lanka

Robotic Automations

Police resurrect Lockbit's site and troll the ransomware gang | TechCrunch

May 6, 2024 9:55 PM0

An international coalition of police agencies have resurrected the dark web site of the notorious LockBit ransomware gang, which they had seized earlier this year, teasing new revelations about the group.

On Sunday, what was once LockBit’s official darknet site reappeared online with new posts that suggest the authorities are planning to release new information about the hackers in the next 24 hours, as of this writing.

The posts have titles such as “Who is LockBitSupp?”, “What have we learnt”, “More LB hackers exposed”, and “What have we been doing?”

In February, a law enforcement coalition that included the U.K.’s National Crime Agency, the U.S. Federal Bureau of Investigation, as well as forces from Germany, Finland, France, Japan and others announced that they had infiltrated LockBit’s official site. The coalition seized the site and replaced information on it with their own press release and other information in a clear attempt to troll and warn the hackers that the authorities were on to them.

The February operation also included the arrests of two alleged LockBit members in Ukraine and Poland, the takedown of 34 servers across Europe, the U.K., and the U.S., as well as the seizure of more than 200 cryptocurrency wallets belonging to the hackers.

The NCA and the FBI did not immediately respond to a request for comment.

Official announcement in 24hrs #Cronos

Watch this space pic.twitter.com/ttKd58QVFL

— National Crime Agency (NCA) (@NCA_UK) May 6, 2024

LockBit first emerged in 2019, and has since become one of the most prolific ransomware gangs in the world, netting millions of dollars in ransom payments. The group has proven to be very resilient. Even after February’s takedown, the group has re-emerged with a new dark web leak site, which has been actively updated with new alleged victims.

All the new posts on the seized website, except for one, have a countdown that ends at 9 a.m. Eastern Time on Tuesday, May 7, suggesting that’s when law enforcement will announce the new actions against LockBit. Another post says the site will be shut down in four days.

Since the authorities announced what they called “Operation Cronos” against LockBit in February, the group’s leader, known as LockBitSupp has claimed in an interview that law enforcement has exaggerated its access to the criminal organization as well as the effect of its takedown.

On Sunday, the hacking collective vx-underground wrote on X that they had spoken to LockBit’s administrative staff, who had told them the police were lying.

“I don’t understand why they’re putting on this little show. They’re clearly upset we continue to work,” the staff said, according to vx-underground.

The identity of LockBitSupp is still unknown, although that could change soon. One of the new posts on the seized LockBit site promises to reveal the hacker’s identity on Tuesday. It has to be noted, however, that the previous version of the seized site also appeared to promise to reveal the gang leader’s identity, but eventually did not.

Software Development in Sri Lanka

Robotic Automations

Change Healthcare stolen patient data leaked by ransomware gang | TechCrunch

April 16, 2024 2:47 AM0

An extortion group has published a portion of what it says are the private and sensitive patient records on millions of Americans stolen during the ransomware attack on Change Healthcare in February.

On Monday, a new ransomware and extortion gang that calls itself RansomHub published several files on its dark web leak site containing personal information about patients across different documents, including billing files, insurance records and medical information.

Some of the files, which TechCrunch has seen, also contain contracts and agreements between Change Healthcare and its partners.

RansomHub threatened to sell the data to the highest bidder unless Change Healthcare pays a ransom.

It’s the first time that cybercriminals have published evidence that they have in their possession medical and patient records from the cyberattack.

For Change Healthcare, there’s another complication: This is the second group to demand a ransom payment to prevent the release of stolen patient data in as many months.

UnitedHealth Group, the parent company of Change Healthcare, said there was no evidence of a new cyber incident. “We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data. Our investigation remains active and ongoing,” said Tyler Mason, a spokesperson for UnitedHealth Group.

What’s more likely is that a dispute between members and affiliates of the ransomware gang left the stolen data in limbo and Change Healthcare exposed to further extortion.

A Russia-based ransomware gang called ALPHV took credit for the Change Healthcare data theft. Then, in early March, ALPHV suddenly disappeared along with a $22 million ransom payment that Change Healthcare allegedly paid to prevent the public release of patient data.

An ALPHV affiliate — essentially a contractor who earns a commission on the cyberattacks they launch using the gang’s malware — went public claiming to have carried out the data theft at Change Healthcare, but that the main ALPHV/BlackCat crew stiffed them out of their portion of the ransom payment and vanished with the lot. The contractor said the millions of patients’ data was “still with us.”

Now, RansomHub says “we have the data and not ALPHV.” Wired, which first reported the second group’s extortion effort on Friday, cited RansomHub as saying it was associated with the affiliate that still had the data.

UnitedHealth previously declined to say whether it paid the hackers’ ransom, nor did it say how much data was stolen in the cyberattack.

The healthcare giant said in a statement on March 27 that it obtained a dataset “safe for us to access and analyze,” which the company obtained in exchange for the ransom payment, TechCrunch learned from a source with knowledge of the ongoing incident. UHG said it was “prioritizing the review of data that we believe would likely have health information, personally identifiable information, claims and eligibility or financial information.”

As the Change Healthcare outage drags on, fears grow that patient data could spill online

Software Development in Sri Lanka

Robotic Automations

A ransomware gang is leaking Change Healthcare's stolen patient data | TechCrunch

April 16, 2024 2:15 AM0