Law enforcement agencies arrest 4 alleged LockBit members

Authorities arrested four suspected members of the LockBit ransomware gang during the third phase of the international law enforcement effort dubbed Operation Cronos.

Europol announced on Tuesday that four new arrests were made in the fight against LockBit, one of the most prolific ransomware-as-a-service groups on the threat landscape. The arrests were made as part of the third phase of Operation Cronos, a joint law enforcement effort that temporarily disrupted LockBit's operations earlier this year.

Now, Europol said French authorities arrested one suspected developer of Lockbit ransomware and British authorities arrested two threat actors for allegedly supporting the activity of LockBit affiliate. Additionally, Europol said Spanish authorities arrested an alleged administrator who ran LockBit's bulletproof hosting service. The law enforcement agencies did not identify the four suspects at press time.

Operation Cronos was first announced in February after the international operation, led by the U.K.'s National Crime Agency (NCA), successfully seized LockBit's websites, servers, source code and decryption keys. News of the recent arrests was initially teased by law enforcement agencies on one of the seized LockBit leak sites that authorities took control of in Phase 1.

While vendors and researchers confirmed the operation did disrupt LockBit activity, the ransomware gang quickly resumed operations. During the second phase, authorities exposed and sanctioned LockBit's alleged ringleader Dimitry Yuryevich Khoroshev, a Russian national known in cybercrime circles as LockBitSupp.

While Khoroshev was not arrested, infosec experts agreed that revealing his identity was successful because it potentially limited his ability to start another ransomware group and deterred other cybercriminals from working with him.

On Tuesday, Europol also announced that Australia, U.K. and U.S. authorities sanctioned a threat actor that the NCA said is a prolific affiliate of LockBit and linked to Evil Corp.

The authorities sanctioned 23 alleged cybercriminals overall during the third phase of Operation Cronos. Sixteen of them were linked to Evil Corp. NCA added that law enforcement discovered a link between LockBit and Evil Corp despite "claims that the two ransomware groups do not work together."

In a separate press release on Tuesday, NCA said Evil Corp emerged in 2014 as a "family-centered financial crime group in Moscow" but grew into a significant cybercriminal operation that extorted at least $300 million from victim organizations worldwide, including those in the healthcare and government sectors. The agency added that some members of Evil Corp had ties to the Russian government.

Also on Tuesday, the U.S. Justice Department unsealed an indictment against a Russian national and alleged key Evil Corp member named Aleksandr Viktorovich Ryzhenko. He is charged with using the BitPaymer ransomware variant against "numerous" victim organizations throughout the U.S since at least 2017.

The unsealed indictment stated Ryzhenko used phishing, malware and vulnerability exploitation to gain initial access to victim organizations before deploying ransomware. Ryzhenko is accused of demanding millions of dollars in ransoms. In addition to the charges, the Justice Department added Ryzhenko to its list of specially designation nationals, which blocks any property he holds in the U.S. and includes financial sanctions.

Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1, told TechTarget Editorial that while LockBit's operations have been significantly disrupted by Operation Cronos and the recent arrests, it's difficult to say how effective Tuesday's actions will be to quell Evil Corp. He said that the sanctions issued against Evil Corp members could deter other cybercriminals from working with them, which would cause a decrease in the group's activity.

"Evil Corp, as it exists today, is more of a hybrid team that works with other RaaS providers like LockBit. The big difference is that Evil Corp does not have its own program, infrastructure and associated operations that rely on trust and cooperation of other criminals," DiMaggio said. "They don't need to recruit other hackers or build an empire based on their name and reputation. They can simply up and move to any other RaaS provider that will accept them into its operation. Due to this, outside of an arrest, there is not a lot that will stop the team from continuing its efforts."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.