Like many ransomware gangs, LockBit demands its victims pay in cryptocurrencies such as Bitcoin (BTC) or Monero (XMR). Victims are often coerced into sending funds to specific wallet addresses to access decryption keys or prevent data leaks. Affiliates then usually attempt to clean the funds using mixers, cross-chain swaps, or privacy coins to dodge detection.

The dark web platforms of LockBit affiliates were altered with a message containing a link to a database dump. The message stated, “Don’t do crime CRIME IS BAD xoxo from Prague,” according to cybersecurity publication, Bleeping Computer.

BleepingComputer’s examination of the leaked LockBit database, first highlighted by the cyber threat actor, Rey, revealed 20 tables with revealing details. One table includes almost 60,000 Bitcoin addresses, likely a combination of addresses used by the gang’s affiliates and infrastructure. Another reveals ransomware builds specific to certain targets. The leak also discloses configuration details for attacks, such as which servers to avoid or which files to encrypt. A chat log unveils over 4,400 negotiations between the ransomware operation and its victims, and a user table names 75 admins and affiliates, with passwords in plain text, including samples like “Weekendlover69” and “Lockbitproud231.”

A LockBit operator known as “LockBitSupp” confirmed the breach to Rey, ensuring that no private keys were leaked. Bleeping Computer indicates that the database dump likely occurred around April 29, as suggested by the MySQL timestamp and the latest chat record. However, the identity of the individual or group behind the breach and the means by which it was executed are still unknown. The defacement message mirrors one used in a recent attack on Everest ransomware’s dark web site, hinting at a potential connection.

The server was found to be running PHP 8.1.2, which is vulnerable to CVE-2024-4577 – a critical flaw that can facilitate remote code execution. In February 2024, Operation Cronos, an international law enforcement initiative, dismantled LockBit’s infrastructure, seizing 34 servers, stolen data, cryptocurrency addresses, 1,000 decryption keys, and its affiliate panel. Despite this setback, LockBit managed to rebuild and resume operations, only to face another significant blow in May of the same year when U.S. authorities unmasked and indicted its ringleader, Dmitry Khoroshev, on 26 criminal counts.

The post Cybercriminals Beware: LockBit Ransomware Gang’s Bitcoin Addresses Exposed in Counter-Hack appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.

The Accused and the Charges

Mikhail Pavlovich Matveev, also known by aliases such as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, stands accused of conducting a wide-scale attack against several victims across the US. The affected sectors spanned law enforcement agencies in Washington, D.C. and New Jersey, along with other victims in the healthcare sector and other industries nationwide.

Matveev’s attack dates back to 2020, deploying ransomware variants LockBit, Babuk, and Hive. Reports indicate that Matveev demanded as much as $400 million in ransom payments, successfully making off with $200 million.

Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division, in a statement regarding Matveev, said, “From his home base in Russia, Matveev allegedly used multiple ransomware variants to attack critical infrastructure around the world. We will not relent in imposing consequences on the most egregious actors in the cybercrime ecosystem.”

A Closer Look at Wazawaka

Matveev, a notorious figure in the cybercrime landscape, reportedly went rogue in 2022, posting exploit codes and taunting researchers and journalists. His carefree attitude in the face of increased scrutiny from ransomware groups seems to have finally caught up with him, as demonstrated by recent law enforcement action.

He frequently shared information about his attacks, contradicting the caution exercised by other ransomware groups. Soon, publishers started sharing selfies and videos associated with Matveev, further exposing his activities.

Continued Activity by Russian Hackers in the Crypto Sphere

Russian hackers have consistently been implicated in cryptocurrency-related attacks. In 2022, a Russian national pleaded not guilty to charges of laundering ransom payments from attacks on US infrastructure. Russian entities have also targeted a Ukrainian gas company.

However, not all activities have been overtly malevolent. An anonymous “Robin Hood” attacker has made headlines for stealing funds from Russian law enforcement and donating them to Ukraine.

The post Russian Cybercriminal Accused in $200M Crypto Ransomware Attack on US Infrastructure appeared first on Crypto Market Insights: Dive In with CryptoUpdate.io.