How Law Enforcement is Disrupting Ransomware Gangs

Efforts to bring down ransomware groups

In our previous blog we discussed the reasons why ransomware remains a prevalent attack technique used by cybercriminals. However, law enforcement is having increasing success in disrupting ransomware groups. In this blog, we’ll look at how law enforcement can use dark web monitoring to tackle ransomware groups and some success stories of ransomware takedowns.

How dark web monitoring can help disrupt ransomware groups

Dark web monitoring plays a critical role in helping law enforcement agencies disrupt and stop ransomware gangs. The dark web is a key platform for these gangs to operate, making it a viable source of intelligence for law enforcement. Here are some of the ways dark web monitoring can aid in stopping ransomware gangs.

Identify key threat actors and understand the organizational structure

Ransomware gangs often use dark web forums to recruit affiliates, sell Ransomware-as-a-Service (RaaS), and communicate with each other. By monitoring these forums, law enforcement can identify the usernames of the gang members and their affiliates, building a picture of who they are. Dark web activity can reveal the structure of ransomware operations, such as the roles of key members, for example affiliate, leader, or administrator. This insight helps law enforcement target the most critical members of the gang which if taken down or arrested would cause disruption to the ransomware group.

Tracking RaaS operations

Many ransomware gangs offer RaaS, allowing affiliates to use their ransomware in exchange for share of the profits. Law enforcement can track these marketplaces to gather intelligence on how the malware is distributed and used, who the affiliates are, and how payments are processed. By tracking these discussions and transactions, law enforcement can identify key platforms and servers where RaaS tools are sold or shared. Following a period of time of building a case or learning about the inner workings of the groups, agencies can shut down these platforms making it difficult for ransomware gangs to continue their operations.

Tracking ransomware leak sites

Law enforcement can also track ransomware leak sites, which are often hosted on the dark web. These sites are used to publish stolen data when victims refuse to pay the ransom, as part of the double extortion model. Monitoring these data leak sites allow law enforcement to assess the scale of the attacks, identify the victim organizations, and understand which types of data are being targeted by ransomware gangs. Additionally, by observing patterns in the types of companies and sectors being targeted, law enforcement can advise those industries on specific threats and preventative measures.

Sharing dark web intelligence with other agencies

Dark web monitoring becomes even more effective when law enforcement agencies share the intelligence with other national and international counterparts. Ransomware gangs often operate across multiple countries, making it essential for different law enforcement agencies to collaborate, pool resources, and share information to combat these threats. Sharing intelligence enables a more coordinated and global response to ransomware activities. Ransomware affiliates may reside in different nations, use infrastructure located across several jurisdictions, and demand payments in cryptocurrencies that flow through international exchanges. Through international sharing, agencies can better identify patterns, trace ransomware attacks across borders, and act together to disrupt ransomware networks.

Notable law enforcement action against ransomware gangs

Over the past few years there have been some notable law enforcement action and takedowns of ransomware groups, which show that cybercriminals can’t be complacent with the level of anonymity the dark web provides them.

LockBit and Operation Cronos

One of the most notable takedowns in the past year is that of the LockBit ransomware group. In operation for four years (since September 2019) and known initially as ABCD, LockBit rose to become the most prolific ransomware group. Targeting organizations across the globe with its Ransomware-as-a-service (RaaS), when LockBit’s malicious software infected a victim’s network, their data was stolen, their systems encrypted, and a cryptocurrency ransom was demanded for the victim to decrypt their files and prevent their data from being published.

On February 20th, the first details of Operation Cronos came to light as international law enforcement agencies took control of LockBit’s servers, compromising its operation. This enabled the NCA to obtain the platform’s source code and a large amount of data, which led to intelligence about the cybercrime gang’s activity and the affiliates they work with to target organizations.

The technical infiltration and the disruption of the LockBit platform resulted in:

• The NCA obtaining over 1,000 decryption keys.
• Two indictments on Russian nationals (Artur Sungatov and Ivan Kondratyev).
• The arrest of two LockBit actors in Poland and Ukraine.
• Over 200 cryptocurrency accounts linked to the gang being frozen.

On Tuesday May 7 the US Department of Justice unsealed charges against Dimitry Yuryevich Khoroshev, who is subject to 26 criminal counts as well as financial and travel sanctions in the US, UK and Australia.

By taking on LockBit, the collaboration of countries and law enforcement agencies as part of Operation Cronos has sent a clear message to the cybercriminal community that operating on the dark web does not mean that you can commit crimes with impunity. It demonstrates even the biggest perpetrators can be unmasked and undermined.

Radar/Dispossessor

In August of this year, the FBI announced a victory against the Radar/Dispossessor ransomware group. Like other ransomware groups, Radar/Dispossessor was notorious and responsible for numerous ransomware attacks on businesses and government organizations around the world.

Since its inception in August 2023, Radar/Dispossessor has targeted and attacked small-to-midsize businesses and organizations from education, healthcare, financial services, and transportation sectors looking to cause maximum disruption in critical industries.

Originally focused on entities in the United States, the FBIs investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. During its investigation, the FBI identified a multitude of websites associated with Brain and his team.

The investigation and joint takedown were conducted in conjunction with the U.K.’s National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and U.S. Attorney’s Office for the Northern District of Ohio.

Similarly to LockBit, this takedown is another great example of how agencies can join forces to overcome the challenge of ransomware gangs on the dark web crossing borders and working across multiple jurisdictions. It is likely that without the knowledge sharing between countries the likes of Radar/Dispossessor may never have been brought to justice, so it’s key for agencies to keep these lines of communications open.

Hive

In 2023, the FBI announced it had taken down the infamous Hive ransomware group. This ransomware group was considered dangerous because of its attempts to extort hundreds of millions of dollars from its victims. The group was also responsible for over 80 attacks on critical infrastructure organizations in 2022, according to the FBI’s “2022 Internet Crime Report.”

Hive ransomware group targeted more than 1,500 victims in over 80 countries around the world, including hospitals, school districts, financial firms, and critical infrastructure. Their attacks have caused major disruptions around the world and affected responses to the COVID-19 pandemic. In one case, a hospital attacked by Hive ransomware had to resort to analog methods to treat existing patients and was unable to accept new patients immediately following the attack.

In January 2023, the FBI described how it had penetrated Hive’s computer networks in July 2022, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Since infiltrating Hive’s network in 2022, the FBI has provided over 300 decryption keys to current victims of Hive, as well as distributing over 1,000 additional decryption keys to previous Hive victims. The FBI went on to announce that, in coordination with German law enforcement (the German Federal Criminal Police and Reutlingen Police Headquarters-CID Esslingen) and the Netherlands National High Tech Crime Unit, it has seized control of the servers and websites that Hive uses to communicate with its members, disrupting Hive’s ability to attack and extort victims.

Attorney General Merrick B. Garland had this to say about the take down: “Cybercrime is a constantly evolving threat. But as I have said before, the Justice Department will spare no resources to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack. We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks.”

“Our efforts in this case saved victims over a hundred million dollars in ransom payments and likely more in remediation costs,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.

This operation demonstrates the power of law enforcement to disrupt these operations. It will likely force the threat actors to take greater steps for operational security or alter their setup, which could create greater burdens on the ransom groups’ workflow, slowing them down or even causing them to exit.

Making a breakthrough with dark web monitoring

Dark web monitoring provides law enforcement with a powerful tool to understand the operations of ransomware gangs, identify key threat actors, and track the tools and infrastructure involved. This intelligence can lead to targeted disruptions of ransomware operations, early detection of threats, and ultimately the disruption of ransomware networks. Persistent monitoring and analysis can bring critical breakthroughs in the fight against ransomware.