Cyber Defense Advisors

Tick tock.. Operation Cronos arrests more LockBit ransomware gang suspects

International law enforcement agencies have scored another victory against the LockBit gang, with a series of arrests and the seizure of servers used within the notorious ransomware group’s infrastructure. 

As Europol has detailed in a press release, international authorities have continued to work on “Operation Cronos”, and now arrested four people, seized servers, and implemented sanctions against an affiliate of the ransomware group. 

A suspected LockBit developer who made the mistake of holidaying outside of Russia was the first to be arrested, thanks to an extradition treaty the country had with France. Although his identity has not been revealed, a post on LockBit’s dark web blog (which was seized by the authorities in February) confirmed the arrest. 

“In the framework of an investigation by French Gendarmerie, an individual believed to be a major actor inside the LockBit network was arrested as he was on holiday outside of Russia. An extradition request was sent by French authorities. This individual is facing severe charges in the French core case against the LockBit organised crime group.”

Meanwhile, in the UK, the National Crime Agency (NCA) has arrested two individuals – one suspected of being a LockBit affiliate, and the other facing money-laundering charges. According to police, the suspects’ identities were determined after careful analysis of data seized from LockBit’s infrastructure in February. 

A posting by the UK’s NCA on the seized LockBit dark website boasts that it now has “a full understanding of the platform and how it operated, and all this detail is presently being worked through with our international Cronos colleagues to help us identify and pursue criminals all over the world. As you can see, we have already identified some, but this is just a start.” 

The post says that an analysis of LockBit’s source code confirmed investigators’ suspicions that the group designed it systems to retain stolen data even after corporate victims paid a ransom, despite promises of deletion. 

Meanwhile, Spanish law enforcement officers have seized nine servers used as part of the ransomware’s infrastructure, and arrested a man at Madrid airport believed to be the administrator of a “bulletproof” hosting service used by the gang to keep their systems online.

Australia, the UK, and the United States have additionally implemented sanctions against an individual that the NCA believes to be a highly active affiliate of LockBit (and who they also suspect of being strongly linked to another cybercrime group, Evil Corp.) 

31-year-old Aleksandr Ryzhenkov, believed to reside in Russia, is wanted for his alleged involvement in a series of ransomware attacks and money laundering activities. According to the FBI, he is a known associate of Maksim Yakubets (also known as “AQUA”), the head of the Evil Corp cybercrime gang. 

According to a post by the NCA on the seized LockBit leak site, Ryzhenkov made over 60 versions of the LockBit ransomware and sought to extort at least $100 million in ransom demands. 

One imagines that there are even more core members and affiliates of the LockBit gang who will be concerned to know that police now have access to even more of the cybercriminal operations’ servers, and will be trawling through data contained upon them to identify other suspects.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.