Japanese crypto exchange DMM Bitcoin confirmed on Friday that it had been victim of a hack resulting in the theft of 4,502.9 bitcoin, or about $305 million. According to crypto security firm Elliptic, this is the eighth largest crypto theft in history. DMM Bitcoin said it detected “an unauthorized leak of Bitcoin (BTC) from our […]
© 2024 TechCrunch. All rights reserved. For personal use only.
U.S. cell carrier Patriot Mobile experienced a data breach that included subscribers’ personal information, including full names, email addresses, home ZIP codes and account PINs, TechCrunch has learned. Patriot Mobile, which reportedly has fewer than 100,000 subscribers, bills itself as “America’s only Christian conservative wireless provider and our mission is to passionately defend our God-given […]
© 2024 TechCrunch. All rights reserved. For personal use only.
On Friday, Pal Kovacs was listening to the long-awaited new album from rock and metal giants Bring Me The Horizon when he noticed a strange sound at the end of the record’s last track. Being a fan of solving riddles and breaking encrypted codes, Kovacs wondered: does this sound contain a hidden message? His hunch […]
© 2024 TechCrunch. All rights reserved. For personal use only.
A top European privacy watchdog is investigating following the recent breaches of Dell customers’ personal information, TechCrunch has learned. Ireland’s Data Protection Commission (DPC) deputy commissioner Graham Doyle confirmed to TechCrunch that the DPC has received “a breach notification on this matter” — referring to Dell — which is “currently under assessment.” Asked to elaborate, […]
© 2024 TechCrunch. All rights reserved. For personal use only.
The FBI along with a coalition of international law enforcement agencies seized the notorious cybercrime forum BreachForums on Wednesday. For years, BreachForums has been a popular English-language forum for hackers and cybercriminals who wanted to advertise, sell, and trade stolen data. Just recently, a threat actor advertised Dell customers’ personal information and data stolen from […]
© 2024 TechCrunch. All rights reserved. For personal use only.
The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s servers. TechCrunch verified that some of the scraped data matches the personal information of Dell customers. On Thursday, Dell sent an email to customers saying […]
© 2024 TechCrunch. All rights reserved. For personal use only.
On Tuesday, U.S. and U.K. authorities revealed that the mastermind behind LockBit, one of the most prolific and damaging ransomware groups in history, is a 31-year-old Russian named Dmitry Yuryevich Khoroshev, aka “LockbitSupp.”
As it’s customary in these types of announcements, law enforcement published pictures of Khoroshev, as well as details of his group’s operation. The U.S. Department of Justice charged Khoroshev with several computer crimes, fraud, and extortion. And in the process, the feds also revealed some details about LockBit’s past operations.
Earlier this year, authorities seized LockBit’s infrastructure and the gang’s banks of data, revealing key details of how LockBit worked.
Today, we have more details of what the feds called “a massive criminal organization that has, at times, ranked as the most prolific and destructive ransomware group in the world.”
Here’s what we’ve learned from the Khoroshev indictment.
LockBit’s leader was publicly known by the not-very-imaginative nickname LockBitSupp. But Khoroshev also had another online identity: putinkrab. The indictment doesn’t include any information about the online handle, though it appears to reference Russian President Vladimir Putin. On the internet, however, several profiles using the same moniker on Flickr, YouTube, and Reddit, though it’s unclear if these accounts were run by Khoroshev.
In the world of Russian cybercrime, according to experts, there’s a sacred, unwritten rule: hack anyone outside of Russia, and the local authorities will leave you alone. Surprisingly, according to the feds, Khoroshev and his co-conspirators “also deployed LockBit against multiple Russian victims.”
It remains to be seen if this means Russian authorities will go after Khoroshev, but at least now they know who he is.
Ransomware operations like LockBit are known as ransomware-as-a-service. That means there are developers who create the software and the infrastructure, like Khoroshev, and then there are affiliates who operate and deploy the software, infecting victims, and extorting ransoms. Affiliates paid Khoroshev around 20% of their proceedings, the feds claimed.
According to the indictment, this business model allowed Khoroshev to “closely” monitor his affiliates, including having access to victim negotiations and sometimes participating in them. Khoroshev even “demanded identification documents from his affiliate Coconspirators, which he also maintained on his infrastructure.” That’s probably how law enforcement was able to identify some of Lockbit’s affiliates.
Khoroshev also developed a tool called “StealBit” that complemented the main ransomware. This tool allowed affiliates to store data stolen from victims on Khoroshev’s servers, and sometimes publish it on LockBit’s official dark web leak site.
LockBit launched in 2020, and since then its affiliates have successfully extorted at least approximately $500 million from around 2,500 victims, which included “major multinational corporations to small businesses and individuals, and they included hospitals, schools, nonprofit organizations, critical infrastructure facilities, and government and law-enforcement agencies.”
Apart from the ransom payments, LockBit “caused damage around the world totaling billions in U.S. dollars,” because the gang disrupted victims’ operations and forced many to pay incident response and recovery services, the feds claimed.
Probably the most shocking of the latest revelations: In February, after the coalition of global law enforcement agencies took down LockBit’s website and infrastructure, Khoroshev “communicated with law enforcement and offered his services in exchange for information regarding the identity of his [ransomware-as-a-service] competitors.”
According to the indictment, Khoroshev asked law enforcement to “[g]ive me the names of my enemies.”
An international coalition of police agencies have resurrected the dark web site of the notorious LockBit ransomware gang, which they had seized earlier this year, teasing new revelations about the group.
On Sunday, what was once LockBit’s official darknet site reappeared online with new posts that suggest the authorities are planning to release new information about the hackers in the next 24 hours, as of this writing.
The posts have titles such as “Who is LockBitSupp?”, “What have we learnt”, “More LB hackers exposed”, and “What have we been doing?”
In February, a law enforcement coalition that included the U.K.’s National Crime Agency, the U.S. Federal Bureau of Investigation, as well as forces from Germany, Finland, France, Japan and others announced that they had infiltrated LockBit’s official site. The coalition seized the site and replaced information on it with their own press release and other information in a clear attempt to troll and warn the hackers that the authorities were on to them.
The February operation also included the arrests of two alleged LockBit members in Ukraine and Poland, the takedown of 34 servers across Europe, the U.K., and the U.S., as well as the seizure of more than 200 cryptocurrency wallets belonging to the hackers.
The NCA and the FBI did not immediately respond to a request for comment.
LockBit first emerged in 2019, and has since become one of the most prolific ransomware gangs in the world, netting millions of dollars in ransom payments. The group has proven to be very resilient. Even after February’s takedown, the group has re-emerged with a new dark web leak site, which has been actively updated with new alleged victims.
All the new posts on the seized website, except for one, have a countdown that ends at 9 a.m. Eastern Time on Tuesday, May 7, suggesting that’s when law enforcement will announce the new actions against LockBit. Another post says the site will be shut down in four days.
Since the authorities announced what they called “Operation Cronos” against LockBit in February, the group’s leader, known as LockBitSupp has claimed in an interview that law enforcement has exaggerated its access to the criminal organization as well as the effect of its takedown.
On Sunday, the hacking collective vx-underground wrote on X that they had spoken to LockBit’s administrative staff, who had told them the police were lying.
“I don’t understand why they’re putting on this little show. They’re clearly upset we continue to work,” the staff said, according to vx-underground.
The identity of LockBitSupp is still unknown, although that could change soon. One of the new posts on the seized LockBit site promises to reveal the hacker’s identity on Tuesday. It has to be noted, however, that the previous version of the seized site also appeared to promise to reveal the gang leader’s identity, but eventually did not.
The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that weren’t protected by multi-factor authentication, according to the chief executive of its parent company, UnitedHealth.
UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system.
This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare’s systems, during which massive amounts of health data were exfiltrated from its systems. UnitedHealth said last week that the hackers stole health data on a “substantial proportion of people in America.”
Change Healthcare processes health insurance and billing claims for around half of all U.S. residents.
According to Witty’s testimony, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to let employees access their work computers remotely on their internal networks. Witty did not elaborate on how the credentials were stolen.
However, Witty did say the portal “did not have multi-factor authentication,” which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code sent to an employee’s trusted device, such as their phone. It’s not known why Change did not set up multi-factor authentication on this system, but this will likely become a focus for investigators trying to understand potential deficiencies in the insurer’s systems.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” said Witty.
Witty said the hackers deployed ransomware nine days later on February 21, prompting the health giant to shut down its network to contain the breach.
UnitedHealth confirmed last week that the company paid a ransom to the hackers who claimed responsibility for the cyberattack and the subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to lay claim to the data theft after posting a portion of the stolen data to the dark web and demanding a ransom to not sell the information.
UnitedHealth earlier this month said the ransomware attack cost it more than $870 million in the first quarter, in which the company made close to $100 billion in revenue.
Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans’ private healthcare data.
UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may “cover a substantial proportion of people in America.”
The health insurance giant did not say how many Americans are affected but said the data review was “likely to take several months” before the company would begin notifying individuals that their information was stolen in the cyberattack.
Change Healthcare processes insurance and billing for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector; it has access to massive amounts of health information on about half of all Americans.
UnitedHealth said it had not yet seen evidence that doctors’ charts or full medical histories were exfiltrated from its systems.
The admission that hackers stole Americans’ health data comes a week after a new hacking group began publishing portions of the stolen data in an effort to extort a second ransom demand from the company.
The gang, which calls itself RansomHub, published several files on its dark web leak site containing personal information about patients across an array of documents, some of which included internal files related to Change Healthcare. RansomHub said it would sell the stolen data unless Change Healthcare pays a ransom.
RansomHub is the second gang to demand a ransom from Change Healthcare. The health tech giant reportedly paid $22 million to a Russia-based criminal gang called ALPHV in March, which then disappeared, stiffing the affiliate that carried out the data theft out of their portion of the ransom.
RansomHub claimed in its post alongside the published stolen data that “we have the data and not ALPHV.”
In its statement Monday, UnitedHealth acknowledged the publication of some of the files but stopped short of claiming ownership of the documents. “This is not an official breach notification,” UnitedHealth said.
The Wall Street Journal reported Monday that the criminal hacking affiliate of ALPHV broke into Change Healthcare’s network using stolen credentials for a system that allows remote access to its network. The hackers were in Change Healthcare’s network for more than a week before deploying ransomware, allowing the hackers to steal significant amounts of data from the company’s systems.
The cyberattack at Change Healthcare began on February 21 and resulted in ongoing widespread outages at pharmacies and hospitals across the United States. For weeks, physicians, pharmacies and hospitals could not verify patient benefits for dispensing medications, organizing inpatient care, or processing prior authorizations necessary for surgeries.
Much of the U.S. healthcare system ground to a halt, with healthcare providers facing financial pressure as backlogs grow and outages linger.
UnitedHealth reported last week that the ransomware attack has cost it more than $870 million in losses. The company reported it made $99.8 billion in revenue during the first three months of the year, faring better than what Wall Street analysts had expected.
UnitedHealth CEO Andrew Witty, who received close to $21 million in total compensation the full year of 2022, is set to testify to House lawmakers on May 1.
Founded in 2017, Atoms Lanka Solutions is a provider of IT consulting and software development services. Throughout the company’s history, we have worked with over 160 customers from 5+ countries..
