Motilal Oswal logo

LockBit claims cyberattack on Indian broker Motilal Oswal

by with No Comment Tech

Motilal Oswal logo

Image Credits: Jagmeet Singh / TechCrunch

The prolific ransomware gang LockBit has claimed responsibility for hacking one of India’s top brokerage firms, Motilal Oswal. Indian authorities say they are aware and investigating the incident.

On Tuesday, LockBit added the Indian brokerage giant Motilal Oswal to its dark web leak site, according to the listing seen by TechCrunch. Cybercriminal groups often use their leak sites to extort ransom payments from their victims, and threaten to publish the victim’s stolen data if they fail to pay.

LockBit claims to have accessed “confidential company data.”

Motilal Oswal serves around six million clients across hundreds of cities in India and holds assets under advice of about $53 billion.

It’s unclear if the brokerage firm is experiencing any operational disruption. Spokespeople for Motilal Oswal did not respond to multiple emails requesting comment, but did not dispute an incident.

India’s Computer Emergency Response Team, or CERT-In, told TechCrunch in an email on Thursday that it was aware of the matter and was “already in process of taking appropriate action.”

Founded in 1987, Motilal Oswal operates a list of financial services, including asset and wealth management, equity and commodity trading, investment banking, institutional broking and mutual fund distribution. The financial giant also owns a private equity subsidiary called Motilal Oswal Alternatives, which has backed a range of companies, including electronic manufacturers Dixon and VVDN Technologies, as well as startups including KreditBee.

Since 2022, LockBit has emerged as one of the most deployed ransomware variants worldwide. The Russia-linked ransomware gang claimed attacks on tech companies including Taiwanese chipmaker TSMC, IT services firm Accenture and manufacturer Foxconn. Last year, the LockBit group also attacked Indian pharmaceutical company Granules India and India’s state-owned National Aerospace Laboratories.

a photo of UK and US officials sitting at a red table discussing the LockBit takedown

US sanctions LockBit members after ransomware takedown

by with No Comment Tech

a photo of UK and US officials sitting at a red table discussing the LockBit takedown

Image Credits: Kelvin Chan / AP

The U.S. government has sanctioned two key members of LockBit, the Russian-speaking hacking and extortion gang accused of launching ransomware attacks against victims across the U.S. and internationally.

In a post on Tuesday, the U.S. Treasury confirmed it is sanctioning two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev.

Sungatov and Kondratiev were separately indicted by U.S. prosecutors on Tuesday for their alleged involvement with LockBit.

Kondratiev is also accused of involvement with REvil, RansomEXX and Avaddon ransomware gangs.

“The United States will not tolerate attempts to extort and steal from our citizens and institutions,” said U.S. Deputy Secretary of the Treasury Wally Adeyemo in a statement. “We will continue our whole-of-government approach to defend against malicious cyber activities, and will use all available tools to hold the actors that enable these threats accountable.”

The newly imposed sanctions mean it is now illegal for U.S. businesses or individuals to pay or otherwise transact with those named by sanctions, a tactic typically used to discourage American victims from paying a hacker’s ransom.

Sanctioning the individuals behind cyberattacks makes it more difficult for the individual hackers to profit from ransomware, rather than targeting groups that can rebrand or change names to skirt sanctions.

Those who are caught violating U.S. sanctions law, such as companies paying a sanctioned hacker, can lead to hefty fines and criminal prosecution.

The sanctions dropped hours after U.S. and U.K. authorities announced a global law enforcement operation aimed at disrupting LockBit’s infrastructure and operations. The authorities announced the seizure of LockBit’s infrastructure on the gang’s own dark web leak site, which the group previously used to publish victims’ stolen data unless a ransom was paid.

a screenshot showing the now-seized LockBit site
A screenshot of the now-seized LockBit leak site. Image Credits: TechCrunch (screenshot)

U.S. prosecutors accuse LockBit’s operators of using ransomware in more than 2,000 cyberattacks against victims in the U.S. and worldwide, making some $120 million in ransom payments since it was founded in 2019.

LockBit has taken credit for hundreds of hacks over the years, including California’s Department of Finance, the U.K. postal service Royal Mail and U.S. dental insurance giant MCNA, affecting millions of individuals’ personal information.

The U.S. sanctions announced Tuesday are the latest round of actions targeting the hackers behind LockBit and other prolific ransomware gangs.

In 2022, Russian-Canadian dual national Mikhail Vasiliev was arrested on allegations of launching multiple LockBit ransomware attacks. A year later, U.S. authorities arrested Ruslan Magomedovich Astamirov under similar allegations. Both suspects remain in custody awaiting trial.

A third suspect, Russian national Mikhail Pavlovich Matveev, was accused of involvement in several ransomware operations, including LockBit. Matveev, who remains at large, was subject to U.S. sanctions in 2023, preventing U.S. victims from paying a ransom to him or his associated ransomware gangs, including Hive and Babuk. The U.S. government also has a $10 million reward for information leading to Matveev’s arrest.

In its announcement Tuesday, the U.S. government did not yet name the suspected LockBit ringleader, who goes by the moniker LockBitSupp. The now-seized LockBit dark web leak site says law enforcement plans to release more information on the alleged leader on Friday, including details of a $10 million bounty for information leading to their location or identification.

Besides sanctions, the U.S. does not ban or otherwise restrict victims from paying a ransom, though the FBI has long advised victims against paying off hackers for fear of perpetuating future cyberattacks. Security researchers say that ransomware victims who pay a ransom are more likely to experience subsequent ransomware attacks.

Read more on TechCrunch:

Why are ransomware gangs making so much money?Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat

Authorities disrupt operations of notorious LockBit ransomware gang

Feds hack LockBit, LockBit springs back. Now what?

by with No Comment Tech

Image Credits: Just_Super / Getty Images

Days after it was knocked offline by a sweeping, years-in-the-making law enforcement operation, the notorious Russia-based LockBit ransomware group has returned to the dark web with a new leak site complete with a number of new victims.

In a verbose, borderline-rambling statement published Saturday, the remaining LockBit administrator blamed its own negligence for last week’s disruption. A global law enforcement effort launched an operation that hijacked the ransomware gang’s infrastructure by exploiting a vulnerability in LockBit’s public-facing websites, including the dark web leak site that the gang used to publish stolen data from victims.

“Operation Cronos,” as the feds dubbed it, also saw the takedown of 34 servers across Europe, the U.K., and the U.S., the seizure of more than 200 cryptocurrency wallets, and the arrests of two alleged LockBit members in Poland and Ukraine.

Just five days on, LockBit announced that its operations had resumed, claiming to have restored from backups unaffected by the government takedown. In its statement, LockBit’s administrator threatened to retaliate by saying it would target the government sector.

A spokesperson for the National Crime Agency, which led Operation Cronos, told TechCrunch on Monday following LockBit’s return that its takedown operation “successfully infiltrated and took control of LockBit’s systems, and was able to compromise their entire criminal operation.”

“Their systems have now been destroyed by the NCA, and it is our assessment that LockBit remains completely compromised,” the NCA said.

Law enforcement claiming overwhelming victory while the apparent LockBit ringleader remains at large, threatening retaliation, and targeting new victims puts the two at odds — for now. With more than a dozen new victims claimed since its brazen relaunch, LockBit’s demise might have been overstated.

As the cat-and-mouse game between the feds and the criminals rolls on, so does the fighting talk — and the bold claims from both sides.

While the NCA promised a big reveal of the gang’s long-standing leader, who goes by the name of “LockBitSupp,” the agency disclosed little about the administrator in a post to LockBit’s own compromised dark web leak site on Friday.

“We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :),” the vaguely worded NCA message read.

U.S. law enforcement agencies have also offered a multimillion-dollar reward for details “leading to the identification or location of any individual(s) who hold a key leadership position” in the LockBit gang — suggesting the authorities either don’t have that information or cannot yet prove it.

With the apparent administrator LockBitSupp still in action — the last remaining piece of the LockBit puzzle — it’s unlikely LockBit is going away. Ransomware gangs are known to quickly regroup and rebrand even after law enforcement disruption claims to have taken them down for good.

Take another Russia-based ransomware gang: ALPHV, also known as BlackCat, last year was dealt a similar blow when law enforcement agencies seized its dark web leak site and released decryption keys so victims could regain access to stolen files. Just days later, the ALPHV announced it “unseized” its leak site and claimed the FBI only had decryption keys for 400 or so companies — leaving more than 3,000 victims whose data remains encrypted.

At the time of writing, ALPHV’s leak site remains up and running — and continues to add new victims almost daily.

Other ransomware gangs, such as Hive and Conti, have faced similar law enforcement action in recent years but are said to have simply rebranded and re-formed under different names. Members of Conti are said to be operating under the new ​​Black Basta, BlackByte, and Karakurt groups, while former Hive members rebranded as a new ransomware operation dubbed Hunters International.

The LockBit takedown, while hailed by many as one of the most significant in recent years, is unlikely to be much different — and the signs are already there.

In its long-winded post, LockBit claimed that law enforcement only obtained a handful of decryptors, arrested the wrong people, and failed to take down all of the websites under its control. LockBit also vowed that in light of the operation, it would upgrade the security of its infrastructure, manually release decryptors, and continue its affiliate program.

“No FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work,” LockBit’s rant continued. “They want to scare me because they cannot find and eliminate me, I cannot be stopped.”

The NCA told TechCrunch that the agency “recognized LockBit would likely attempt to regroup and rebuild their systems” but acknowledged that the agency’s work continues to disrupt the group.

“We have gathered a huge amount of intelligence about them and those associated with them, and our work to target and disrupt them continues,” said NCA spokesperson Richard Crowe.

Law enforcement’s acknowledgment that it’s still working to disrupt the gang tells us all we need to know: LockBit isn’t dead yet, and it likely never was.

Why are ransomware gangs making so much money?

A screenshot of the seized LockBit darknet website.

Police resurrect LockBit's site and troll the ransomware gang

by with No Comment Tech

A screenshot of the seized LockBit darknet website.

Image Credits: TechCrunch (screenshot)

An international coalition of police agencies have resurrected the dark web site of the notorious LockBit ransomware gang, which they had seized earlier this year, teasing new revelations about the group.

On Sunday, what was once LockBit’s official dark net site reappeared online with new posts that suggest the authorities are planning to release new information about the hackers in the next 24 hours, as of this writing.

The posts have titles such as “Who is LockBitSupp?” “What have we learnt,” “More LB hackers exposed,” and “What have we been doing?”

In February, a law enforcement coalition that included the U.K.’s National Crime Agency (NCA), the U.S. Federal Bureau of Investigation, and forces from Germany, Finland, France, Japan and others announced that they had infiltrated LockBit’s official site. The coalition seized the site and replaced information on it with their own press release and other information in a clear attempt to troll and warn the hackers that the authorities were on to them.

The February operation also included the arrests of two alleged LockBit members in Ukraine and Poland; the takedown of 34 servers across Europe, the U.K., and the U.S.; and the seizure of more than 200 cryptocurrency wallets belonging to the hackers.

FBI spokesperson Samantha Shero told TechCrunch that the bureau had no comment. The NCA did not respond to a request for comment.

LockBit first emerged in 2019 and has since become one of the most prolific ransomware gangs in the world, netting millions of dollars in ransom payments. The group has proven to be very resilient. Even after February’s takedown, the group has reemerged with a new dark web leak site, which has been actively updated with new alleged victims.

All the new posts on the seized website, except for one, have a countdown that ends at 9 a.m. ET on Tuesday, May 7, suggesting that’s when law enforcement will announce the new actions against LockBit. Another post says the site will be shut down in four days.

Since the authorities announced what they called “Operation Cronos” against LockBit in February, the group’s leader, known as LockBitSupp, has claimed in an interview that law enforcement has exaggerated its access to the criminal organization as well as the effect of its takedown.

On Sunday, the hacking collective vx-underground wrote on X that they had spoken to LockBit’s administrative staff, who had told them the police were lying.

“I don’t understand why they’re putting on this little show. They’re clearly upset we continue to work,” the staff said, according to vx-underground.

The identity of LockBitSupp is still unknown, although that could change soon. One of the new posts on the seized LockBit site promises to reveal the hacker’s identity on Tuesday. It has to be noted, however, that the previous version of the seized site also appeared to promise to reveal the gang leader’s identity, but eventually did not.

This story was updated to include the FBI’s no comment.