How PRODAFT helped the FBI and Europol to disrupt the LockBit cybercrime gang

Type: Behind the story
Topic: Cybersecurity
Topic: Legal & Policy
Publication date: 6 Mar

“We need to share the data otherwise everybody is in the darkness”

A joint law enforcement operation called “Operation Cronos” has disrupted one of the most notorious Ransomware-as-a-Service cybercrime syndicates: LOCKBIT. This case presents a successful outcome of a coordinated fight against cybercrime across private and public sectors, with multiple Dutch and international parties involved like PRODAFT that helped the NCA, FBI, EUROPOL and others. They significantly accelerated the overall identification of the largest network, ultimately leading to the disruption of this criminal enterprise, with the help of extensive research of The Hague-based Prodaft. The Threat Intelligence Team identified over 28 LOCKBIT affiliates and uncovered all decryption keys for their ongoing campaigns.

Koryak Uzan, one of the Managing Directors of Prodaft “We managed to notify and provide early warning to all affected parties, giving them an average of 2 - 3 weeks of action time. These notifications substantially diminished the damage that could have been done had the ransomware been deployed successfully. We are thrilled that our contributions aided in disrupting the LOCKBIT operations, as this threat actor gained notoriety by ruthlessly targeting essential services such as hospitals, governmental agencies, emergency providers and educational institutions. The cybercrime mob has been known for using double extortion techniques and victim shaming to pressure their victims into paying the ransom.”

The law enforcement authorities from ten countries (including the Netherlands) in taskforce Cronos managed to infiltrate the group’s network and seize LOCKBIT’s website, infrastructures, and platform’s source code, causing immediate disruptions of their capabilities. Moreover, this coordinated effort resulted in 34 servers being taken down and 14,000 rouge accounts closed. These actions are an outcome of a long-term operation led by the UK’s National Crime Agency in cooperation with many global law enforcement authorities.

LOCKBIT’s response to this operation resulted in restoring some of their infrastructures and threatening to continue their work despite the efforts of law enforcement. They seemed unimpressed by the LEAs’ actions but still managed to mention PRODAFT, with the LOCKBIT’s leader stating:  “Personally, I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from PRODAFT.”

Royal Dutch Football Association KNVB The Royal Dutch Football Association (KNVB) confirms it paid ransom for hacked employee data to Lockbit in 2023.
Lockbit Leader “Personally, I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from PRODAFT.”

Given that this is still an ongoing operation and LOCKBIT will continue fighting back, the law enforcement authorities will use all the gathered information to target further LOCKBIT’s affiliates, developers, and all parties responsible for the ransomware campaigns that caused global disruptions and havoc to numerous critical infrastructures, SMEs, and large corporations. All participating agencies are currently supporting victims worldwide and concentrating their resources on keeping LOCKBIT at bay.

Koryak Uzan responds to the warnings of LOCKBIT to continue their business one way or the other on a new website

Koryak Uzan "We see they re-posted the information about their old victims on the new website. Those are the victims they have already compromised in the past, not new ones. We reckon they want to emit an image of getting back but their actions just showcase they are afraid their credibility has been compromised and they want to save their reputation. That’s our take on the current situation.”

It's important to note that tracing cybercriminals is a complex and ongoing process. Cybersecurity research continuously evolve their methods to keep pace with the changing tactics of threat actors. Additionally, the legal and ethical considerations surrounding cyber investigations are paramount, and firms like PRODAFT operate within the bounds of the law to ensure the responsible pursuit of cybercriminals.

More cases

It's not the first time that PRODAFT in The Hague helped the authorities with long-term and extensive research to share relevant findings about cybercriminals. Recently published research of PRODAFT helped to disrupt the activities of Mikhail Pavlovich Matveev, also known by the monikers as Wazawaka. Matveev is currently under scrutiny for his alleged involvement in cybercriminal activities, prompting concerns across the cyber realm.

stated the PRODAFT Team “Maybe there is no extradition treaty, but this research provides a comprehensive analysis of Wazawaka’s background, affiliations, and tactics in the threat landscape associated with his activities. It includes information about Wazawaka’s team and his close relations with other threat actors. Security leaders who wish to improve their risk management models and boost cyber resilience against sophisticated threats, can learn a lot to protect themselves”.

Cybersecurity Network in The Hague

The company PRODAFT is based at the HSD Campus in The Hague, International City of Peace and Justice. The core of the Dutch Security Cluster ‘Security Delta (HSD)' and the place where businesses, knowledge institutions and governance work together to make our digitising world more secure.

The Hague has a strong ecosystem of cybersecurity companies and institutions. During Cybersecurity Week in 2023, the Municipality of The Hague announced their free Cybersecurity program for all 200+ NGO's based in The Hague leaded by the Cyberpeace Institute.

 

LOCKBIT's operation in 2021 For more information about the beginning of LOCKBIT’s operations in 2021:
About Wazawaka For the full story and lessons learned of Wazawaka: Smoke and Mirrors: Understanding the workings of Wazawaka
Security Delta (HSD) Read more on Security Delta (HSD)