Two alleged LockBit ransomware actors have been arrested in Ukraine and Poland as part of ‘Operation Cronos’ that disrupted the infamous LockBit ransomware operation responsible for billions of euros worth of damage.
According to Europol’s official statement, the operation involved law enforcement from 10 countries, including the US, the UK, Australia, Canada, France, Germany, Japan, the Netherlands, Sweden, Switzerland, Finland, New Zealand, Poland and Ukraine.
"The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom," Europol said.
As was reported earlier, the UK's National Crime Agency took control of the LockBit’s technical infrastructure, as well as the group’s leak site, used for hosting the data stolen from victims in ransomware attacks. The NCA also obtained over 1,000 decryption keys. The Japanese Police, the NCA, and the Federal Bureau of Investigation (FBI) developed a LockBit 3.0 Black Ransomware decryption tool with Europol's support, which available through the 'NoMoreRansom' portal.
Authorities have also frozen more than 200 cryptocurrency accounts linked to the LockBit enterprise.
In addition, the US Department of Justice has unsealed two search warrants that authorized the FBI to disrupt multiple US-based servers used by LockBit members in connection with the LockBit disruption. Those servers were used by LockBit administrators to host the so-called “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victim data.
The US authorities have charged two Russian nationals, Artur Sungatov and Ivan Kondratyev (aka Bassterlord), with offenses related to the deployment of LockBit against numerous victims throughout the United States and worldwide. Both Sungatov and Kondratyev have been sanctioned by the US Department of Treasury's Office of Foreign Assets Control.
Sungatov is accused of deploying the ransomware against companies in manufacturing, logistics, insurance, and other sectors across several states including Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico since January 2021. Similarly, Kondratyev is alleged to have targeted municipal and private entities in Oregon, Puerto Rico, and New York, as well as international targets in Singapore, Taiwan, and Lebanon starting from August 2021. Kondratyev was also charged with operating the REvil/Sodinikibi ransomware.
Both Sungatov and Kondratyev are alleged to have been involved in the global LockBit ransomware operation, which also allegedly included Russian nationals Mikhail Matveev and Mikhail Vasiliev.
In May 2023, Mikhail Matveev (aka Wazawaka) was accused of deploying various ransomware strains, including LockBit, to target numerous victims across the US, including the Washington, D.C., Metropolitan Police Department.
In November 2022, Mikhail Vasiliev, a dual Russian and Canadian citizen, was charged for his involvement in the global ransomware campaign linked to LockBit. He is currently detained in Canada awaiting extradition to the United States. Another LockBit member, Ruslan Astamirov, was charged in June 2023, he is currently in custody in the US awaiting trial.