20 February 2024

8 min read

UK NCA and international partners disrupt LockBit | Cyber Intelligence Briefing: 20 February

February 2024
Cyber Briefing News


Top news stories this week

  1. Breaking: LockBit disrupted by UK and international law enforcement. 
  2. On the hunt. US government offers rewards to catch the leaders of the BlackCat ransomware gang. 
  3. Code red. Multiple hospitals across Romania disrupted by cyber attack.
  4. Weaponised intelligence. OpenAI takes down accounts linked to five state-backed hackers. 
  5. Shutdown. US takes down botnet controlled by Russian military intelligence.
  6. Biometrics breached. Facial recognition data leveraged for unauthorised bank access.
  7. Rhysida decoded. South Korean researchers release free decryptor for Rhysida ransomware.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. UK NCA and international partners disrupt LockBit  

The UK National Crime Agency (‘NCA’) and international law enforcement agencies, including the FBI, have disrupted LockBit, the world’s most prolific ransomware gang. LockBit’s leak site states that the extortion page is now under the control of the NCA, which has obtained over 1,000 decryption keys for the gang’s victims.

The coordinated global takedown has so far seen two operators of LockBit arrested in Poland and Ukraine, the seizure of over 200 crypto wallets belonging to the gang, three international arrest warrants and five indictments being issued by French and US authorities, including two which were unsealed by the US Department of Justice against Russian nationals Artur Sungatov and Ivan Gennadievich Kondratiev. The US has also imposed sanctions on the pair.

So what?

LockBit is believed to have extorted over USD 120 million from victims around the world, so the takedown is welcome news. However, it waits to be seen just how impactful this move from law enforcement will be.

[Researcher: Waithera Junghae] 

2. BlackCat continue to boast attacks as the US government offers rewards for information

The US government has offered rewards of up to USD 15 million for information relating to the ransomware gang known as BlackCat. This follows attempts by the FBI to take down the group’s infrastructure late last year. The gang has showed no signs of stopping, and recently claimed responsibility for an attack on Canadian pipeline operator Trans-Northern Pipeline, allegedly publishing 183 GB of the company’s data on their leak site.

So what?

The attack has echoes of the 2021 attack on Colonial Pipeline, which led to the dismantling of ransomware group DarkSide following intense US law enforcement pressure.    

[Researcher: Adelaide Parker]

3. Ransomware threat actor targets hospitals across Romania

100 Romanian hospitals have been impacted by a ransomware attack targeting a widely used health management system. The attack focused on production servers of the Hipocrate Information System (HIS), which stores patient and medical data. 25 hospitals have confirmed data encryption and the remaining 75 have taken their HIS offline whilst the investigation continues.

So what?

Organisations must protect their critical systems with proportionate security measures, including secure, offsite backups that are frequently tested to enable a quick and accurate incident recovery.

[Researcher: Adelaide Parker]


New call-to-action


4. OpenAI takes down accounts linked to five state-backed hackers 

OpenAI, the artificial intelligence company behind ChatGPT, has taken down accounts linked to state-backed hacking groups from China, Iran, North Korea, and Russia in collaboration with Microsoft.

OpenAI stated the groups were using AI to further cyber attacks including to generate scripts and create content for phishing campaigns.

So what?

As technology advances, opportunistic cyber criminals will continue to find ways to leverage AI. Given the pace of these evolving threats, organisations should consider incorporating AI into their own defensive strategies.

[Researcher: Waithera Junghae]

5. US and partners take down botnet controlled by Russia intelligence service

US agencies and international enforcement partners have shut down a botnet linked to Russia’s military intelligence agency the GRU. The botnet, which was used to commit a variety of cyber crimes including vast spear phishing and credential harvesting campaigns, had gained access to more than 1,000 homes and small business routers.

So what?

The impact of such operations are often short-lived as cybercriminals find new methods and techniques to achieve their objectives. Organisations should continue to invest in cyber security defences despite the crackdown.

[Researcher: Waithera Junghae]

6. Hackers breach bank accounts leveraging stolen facial recognition data 

A sophisticated hacking group has breached bank accounts at Thai and Vietnamese financial institutions using stolen facial recognition data. The group utilised trojan malware to help impersonate government agencies and trick victims into downloading malicious apps that required video recording for facial recognition.

So what?

Facial recognition technology is not infallible with the rise of deepfakes, but up-to-date training can help reduce the risk of employees falling victim to such schemes. 

[Researcher: Lawrence Copson]

7. South Korean researchers release free decryption tool for Rhysida ransomware 

South Korean researchers have released a free decryption tool for Windows against the Rhysida strain of ransomware. The researchers discovered a vulnerability in the strain that permitted reverse engineering of the encryption key.

So what?

While the decryption tool will be valuable for any recent victims, Rhysida is likely to quickly fix the vulnerability.

[Researcher: Lawrence Copson]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.