Fraud Management & Cybercrime , Ransomware

Europol Details Pursuit of LockBit Ransomware Affiliates

Operation Cronos Prioritized Disrupting Criminal Trust in the Group, Official Says
Europol Details Pursuit of LockBit Ransomware Affiliates
A Europol tip for catching cybercriminals: Mineral oil. (Image: Shutterstock)

What does it take to disrupt a major ransomware operation? Operation Cronos, comprising 10 national law enforcement agencies, continues to target the LockBit ransomware-as-a-service group using a variety of approaches.

See Also: Stopping Business Email Compromise and Ransomware Attacks with Human-centric Security

"The goal of this investigation specifically was to disrupt the trust of the crime community for this specific ransomware family and for providers of the ransomware family," said Donatas Mazeika, head of the forensic support team at Europol's European Cyber Crime Centre, speaking Friday at the Hardwear.io conference in Amsterdam.

Operation Cronos has already resulted in multiple arrests, including the Spanish detention of an alleged bulletproof hosting provider to the group. Police have seized dozens of servers while financial authorities have imposed sanctions on alleged members and have frozen 200 cryptocurrency accounts. The United States indicted Russian national Dmitry Yuryevich Khoroshev for being the group's leader - who goes by "LockBitSupp" - and posted a reward of up to $10 million for information that leads to his arrest or conviction.

The law enforcement operation launched in 2021 and led to the infiltration of LockBit's infrastructure by Britain's National Crime Agency, which obtained 2,500 decryption keys, plus a list of all LockBit affiliate usernames and Bitcoin addresses tied to victim payments (see: Operation Cronos Is Disrupting LockBit, Says UK Official).

Efforts to unpick LockBit continue as authorities chase a "swarm of affiliates," numbering over 200 individuals who took the group's ransomware and used it to infect victims in exchange for a sizable cut of every ransom paid, Mazeika said. "There's a lot of work to be done yet to find and arrest those who were involved in this crime."

Mazeika previously served as an investigator and digital forensic examiner at the National Criminal Police of Lithuania, later becoming its head of cybercrime investigations, before joining Europol, based in the Dutch city of The Hague, in 2019.

While cybercrime has continued to evolve - as demonstrated by the rise of cryptolocking ransomware attacks and accompanying criminal profits in the late 2010s - so too have policing capabilities. Mazeika said that in the words of one of his colleagues: "There is no such thing as cold cases if there is a blockchain involved." He added that "even 10 years after some of those big, famous hacks, we can still find the money and trace those criminals."

Using digital forensics to gather evidence remains a key component of many cases. Europol has run its own "decryption platform" since 2013, with a major new iteration being introduced in 2021. Hosted by the European Commission's Joint Research Centre in Ispra, Italy, the platform is comprised of bulky "pods" running consumer GPUs and filled with mineral oil, which keeps their temperature low and minimizes power consumption. EC3 uses this platform to support about 40 investigations per year, typically working with European member states that lack this capability.

"Everything supported by Hashcat, we can attempt to decrypt," Mazeika said, referring to the popular password-cracking tool. He clarified that what Europol is doing isn't technically decryption - as in breaking encryption - but rather using technology to guess people's passwords, typically after investigators have already prepared a "proper word list" of possible hits, all in their effort to ultimately gain access to data stored on seized devices.

Attribution, Infrastructure, Tracing

Mazeika said EC3 focuses on three primary areas: Attribution, meaning unmasking the individuals behind the nicknames associated with ransomware operations and identifying members of business email compromise groups; finding the infrastructure being used to support cybercrime operations including ransomware and darknet markets; and following the money.

"We are good at crypto tracing, especially at Europol," he said, where they have "very, very, very talented" people involved.

Europol's cumulative seizure of criminal infrastructure has revealed that most ransomware groups have relatively low-level knowledge and operational security, as evidenced by their penchant for "mainly going for low-hanging fruit" - typically, poorly secured, midsize enterprises, Mazeika said.

Many investigations to which EC3 has contributed have led to notable disruptions. The 2020 police infiltration of the defunct encrypted messaging service EncroChat has so far led to the arrest of more than 6,000 individuals suspected of being active members, charges against more than 200 alleged top-level operators, and the seizure of drugs, guns and more than 900 million euros (see: Suspected EncroChat Admin Extradited to France).

During his conference keynote presentation, titled "Cyber investigations: reading between the lines of law enforcement press releases," Mazeika said that not every investigation goes to plan. He referenced a Europol press release from 2020 titled "Hook, line and sinker: cybercrime network phishing bank credentials arrested in Romania." While that investigation resulted in the arrest of three suspects, he projected an image of three mobile phones seized by police, all of which the suspects smashed before being detained, complicating efforts by police to retrieve data.

"Bad operational planning can ruin any investigation; to know who did the crime, and to prove it, is absolutely different tasks and tasks of different complexity," he said. "This is a challenge that requires a lot of creativity from the law enforcement side to make sure that you get your hands on devices containing evidence when those devices are in a state which allows you to get the data out of those devices."

Modern devices "are very, very safe," while "the providers of commercial solutions" for digital forensics "are lagging quite heavily behind" the safeguards that manufacturers are building into their devices, he said. "This is the reality of life that we face, and this is the reality of life that we need to try to compensate for by proper operational planning, as law enforcement."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ransomware.databreachtoday.com, you agree to our use of cookies.