The Ukrainian leader of racketeering groups who conspired to install malware on thousands of company computers has admitted in federal court in Nebraska to one count of conspiracy to perpetrate wire fraud and one count of conspiracy to disregard U.S. anti-racketeering regulations. One victim, the University of Vermont Medical Center, was affected with ransomware leading to the taking down of IT systems for more than two weeks. The attack kept the medical center from offering critical patient services for over two weeks. The Department of Justice stated the attack on the medical facility led to a risk of death or critical bodily injury for patients and over $30 million in company costs.
Vyacheslav Igorevich Penchukov, 37, also known as Vyacheslav Igoravich Andreev and identified on the internet as Tank and Father, was arrested. He led JabberZeus and IcedID, which are two cybercriminal groups between 2009 and 2021. JabberZeus used the Zeus banking trojan while IcedID used the IcedID banking trojan to steal usernames, passwords, and other data that permitted access to be acquired to online bank accounts.
Based on the Department of Justice, Penchukov and his co-conspirators then dubiously represented to banks that they were the victim’s staff and were permitted to make transfers of cash from the bank accounts of the victims, so the banks made unauthorized transactions of funds from the victims’ accounts, resulting in the loss of millions of dollars. The groups then retained money mules in the United States to get the bogus transfers, take the funds, and then send the money to the account in a different country under the control of Penchukov and his co-conspirators.
Penchukov was indicted in 2012 for his part in the JabberZeus group and was included on the Most Wanted List of the Federal Bureau of Investigation (FBI) for about a decade. Penchukov led the IcedID gang from November 2018 to February 2021. IcedID additionally installed devices with malware to rob banking details. The IcedID trojan could likewise be employed to deliver other malware payloads, such as ransomware, just as in the instance with the attack in October 2020 on the University of Vermont Medical Center.
Penchukov was detained in Switzerland in 2022 and was extradited to America in 2023. On February 15, 2024, Penchukov appeared in court in Lincoln, Nebraska, and confessed to one count of conspiracy to do a Racketeer Influenced and Corrupt Organizations (RICO) Act offense for his job in the JabberZeus group, and one count of conspiracy to conduct wire fraud for his career in the IcedID group. Penchukov is facing about 40 years in prison – around 20 years for each count that will start on May 9, 2024.
LockBit RaaS Infrastructure Taken Down by International Law Enforcement Operation
The respected LockBit ransomware-as-a-service (RaaS) group has been severely upset by a worldwide law enforcement operation that seized the group’s infrastructure, which includes Tor sites, servers, its affiliate website, public-facing data leak site, Stealbit data exfiltration tool, and around 200 cryptocurrency wallets. Two people who performed attacks utilizing LockBit ransomware were captured in Poland and Ukraine, and they will be extradited to the U.S. to face trial. The French and U.S. judicial authorities have additionally issued three global arrest warrants and five indictments. About 1,000 decryption keys were acquired and a free decryptor for LockBit 3.0 was developed, which is available on the No More Ransom site. The seizure of the cryptocurrency wallets signifies that victims might probably get back part of the ransoms they paid.
The UK’s National Crime Agency (NCA) called LockBit the world’s most threatening cybercrime group. The RaaS group has been active for four years now and has targeted thousands of organizations worldwide, and in Quarter 3 of 2023, the gang had 275 new victims added to its data leak website. The group has carried out a lot of cyber attacks on critical infrastructure entities, which include healthcare agencies, and the attacks have resulted in the loss of billions of dollars. Based on the Department of Justice, the group carried out attacks on above 2,000 victims, released ransom demands worth millions of dollars, and received payments of at least $120 million.
Law enforcement institutions in 10 countries joined “Operation Cronos,” which was headed by the NCA and organized by Europol and Eurojust. The operation started in April 2022 and has led to the takedown of 34 servers in Germany, Finland, France, the Netherlands,
Switzerland, Australia, the United States, and the United Kingdom, and about 14,000 rogue accounts were discovered and referred for removal by law enforcement. LockBit members used the accounts for having tools and software utilized in attacks and for keeping data stolen from victims.
The affiliate panel currently shows a message for all affiliates in the NCA, FBI, Europol, and Operation Cronos Law Enforcement Task Force. Law enforcement has taken command of LockBit’s platform and acquired all the information on its servers. These details include the source code of the victims, the amount of money stolen, chats, and much, much more.
LockBitSupp is the threat actor that regulates the LockBit RaaS operation, with the LockBitSupp persona believed to be operated by one or two individuals. The Russian-speaking threat actor stated that the law enforcement operation took advantage of a critical PHP vulnerability, CVE-2023-3824, that was first disclosed in August 2023. The vulnerability causes a stack buffer overflow, likely remote code execution,
memory corruption.
The takedown of the group’s infrastructure is significant and the scope of the data breach shall be of concern to the gang’s affiliates, particularly those that live in places where law enforcement could them. It is improbable, nevertheless, that the gang core members will face justice as they are believed to be living in Russia. They may opt to rebuild and return with a new group operation, as ransomware gangs usually do follow law enforcement disruption.
The U.S. Department of State is likewise providing a reward of around $15 million via the Transnational Organized Crime Rewards Program for anyone with facts with regards to LockBit associates, such as a reward of about $10 million for data leading to the recognition or location of any individual who holds a leadership position in the LockBit operation, and a reward of up to $5 million for information that results in the detention and/or conviction of any individual conspiring to take part in or trying to participate in LockBit ransomware activities.
