During the third phase of Operation Cronos, authorities successfully arrested four suspected members of the LockBit ransomware gang in a coordinated international law enforcement effort. Europol announced on Tuesday that these arrests were a significant milestone in the ongoing fight against LockBit, a notorious ransomware-as-a-service group that has been a major player in the cyber threat landscape.
The arrests included one suspected developer of Lockbit ransomware in France, two threat actors in the UK who were allegedly supporting the activities of LockBit affiliates, and an alleged administrator in Spain who ran LockBit’s bulletproof hosting service. While the identities of the suspects were not disclosed at the time of the announcement, these arrests mark a significant blow to the operations of the LockBit gang.
Operation Cronos was initially launched in February, resulting in the seizure of LockBit’s websites, servers, source code, and decryption keys. This disruption temporarily hindered LockBit’s activities, but the ransomware gang quickly resumed operations. In the second phase of the operation, authorities exposed and sanctioned the alleged ringleader of LockBit, Dimitry Yuryevich Khoroshev, also known as LockBitSupp in cybercrime circles.
Although Khoroshev was not arrested, his identity was revealed, potentially limiting his ability to launch another ransomware group and dissuading other cybercriminals from collaborating with him. The recent arrests of the four suspected LockBit members are part of the ongoing efforts to dismantle the operations of the ransomware gang and hold its members accountable for their criminal activities.
In addition to the arrests, authorities from Australia, the UK, and the US sanctioned a threat actor who was identified as a prolific affiliate of LockBit and linked to the notorious cybercrime group Evil Corp. A total of 23 alleged cybercriminals were sanctioned during the third phase of Operation Cronos, with 16 of them connected to Evil Corp. Despite previous claims that LockBit and Evil Corp did not collaborate, law enforcement agencies uncovered a link between the two ransomware groups.
Evil Corp, which originated as a financial crime group in Moscow in 2014, evolved into a major cybercriminal organization that extorted over $300 million from victim organizations worldwide, including those in the healthcare and government sectors. Some members of Evil Corp were found to have ties to the Russian government, adding another layer of complexity to the investigation and prosecution of these cybercriminals.
On the same day as the announcements regarding the arrests and sanctions, the US Justice Department unsealed an indictment against a key member of Evil Corp, Aleksandr Viktorovich Ryzhenko, a Russian national. Ryzhenko was charged with deploying the BitPaymer ransomware variant against numerous victim organizations in the US since at least 2017, using various tactics such as phishing, malware, and vulnerability exploitation to gain initial access to the victims’ systems.
The unsealed indictment revealed that Ryzhenko demanded millions of dollars in ransoms from his victims, leading to his designation as a specially designated national by the US government, which imposed financial sanctions and froze any assets he may have held in the US. This latest development further highlights the collaborative efforts of international law enforcement agencies to combat ransomware and cybercriminal activities on a global scale.
As the investigation into the activities of LockBit, Evil Corp, and other cybercriminal groups continues, the arrests and sanctions announced during the third phase of Operation Cronos serve as a stark reminder that law enforcement agencies are committed to disrupting and dismantling these criminal enterprises to protect individuals and organizations from the devastating impact of ransomware attacks.