A joint law enforcement operation called “Operation Cronos” has disrupted one of the most notorious Ransomware-as-a-Service cybercrime syndicates: LOCKBIT. This case presents a successful outcome of a coordinated fight against cybercrime across private and public sectors, with multiple Dutch and international parties involved like PRODAFT that helped the NCA, FBI, EUROPOL and others. They significantly accelerated the overall identification of the largest network, ultimately leading to the disruption of this criminal enterprise, with the help of extensive research of The Hague-based Prodaft. The Threat Intelligence Team identified over 28 LOCKBIT affiliates and uncovered all decryption keys for their ongoing campaigns.
The law enforcement authorities from ten countries (including the Netherlands) in taskforce Cronos managed to infiltrate the group’s network and seize LOCKBIT’s website, infrastructures, and platform’s source code, causing immediate disruptions of their capabilities. Moreover, this coordinated effort resulted in 34 servers being taken down and 14,000 rouge accounts closed. These actions are an outcome of a long-term operation led by the UK’s National Crime Agency in cooperation with many global law enforcement authorities.
LOCKBIT’s response to this operation resulted in restoring some of their infrastructures and threatening to continue their work despite the efforts of law enforcement. They seemed unimpressed by the LEAs’ actions but still managed to mention PRODAFT, with the LOCKBIT’s leader stating: “Personally, I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from PRODAFT.”
Given that this is still an ongoing operation and LOCKBIT will continue fighting back, the law enforcement authorities will use all the gathered information to target further LOCKBIT’s affiliates, developers, and all parties responsible for the ransomware campaigns that caused global disruptions and havoc to numerous critical infrastructures, SMEs, and large corporations. All participating agencies are currently supporting victims worldwide and concentrating their resources on keeping LOCKBIT at bay.
Koryak Uzan responds to the warnings of LOCKBIT to continue their business one way or the other on a new website:
It's important to note that tracing cybercriminals is a complex and ongoing process. Cybersecurity research continuously evolve their methods to keep pace with the changing tactics of threat actors. Additionally, the legal and ethical considerations surrounding cyber investigations are paramount, and firms like PRODAFT operate within the bounds of the law to ensure the responsible pursuit of cybercriminals.
More cases
It's not the first time that PRODAFT in The Hague helped the authorities with long-term and extensive research to share relevant findings about cybercriminals. Recently published research of PRODAFT helped to disrupt the activities of Mikhail Pavlovich Matveev, also known by the monikers as Wazawaka. Matveev is currently under scrutiny for his alleged involvement in cybercriminal activities, prompting concerns across the cyber realm.
Cybersecurity Network in The Hague
The company PRODAFT is based at the HSD Campus in The Hague, International City of Peace and Justice. The core of the Dutch Security Cluster ‘Security Delta (HSD)' and the place where businesses, knowledge institutions and governance work together to make our digitising world more secure.
The Hague has a strong ecosystem of cybersecurity companies and institutions. During Cybersecurity Week in 2023, the Municipality of The Hague announced their free Cybersecurity program for all 200+ NGO's based in The Hague leaded by the Cyberpeace Institute.