Cyberattack Leader Faces 40 Years Imprisonment and LockBit RaaS Infrastructure Operations Disrupted

Posted By on Feb 23, 2024 |

Leader of Gang Responsible for the Attack on University of Vermont Medical Center Looking at 40 Years Imprisonment

A Ukrainian male charged with being the leader of groups who attacked thousands of enterprise computers by using malware has admitted in federal court in Nebraska to one count of conspiracy to do wire fraud and one count of conspiracy to violate U.S. anti-racketeering rules. One victim, the University of Vermont Medical Center, was attacked with ransomware prompting the deactivation of IT systems for over two weeks. The attack held back the medical center from giving critical patient services for about two weeks. The Department of Justice mentioned the attack on the medical facility led to a risk of death or severe bodily trauma for patients and over $30 million in business expenses.

Vyacheslav Igorevich Penchukov, 37, also called Vyacheslav Igoravich Andreev and well-known on the web as Tank and Father, was arrested for leading Icedid and Jabberzeus, two cybercriminal groups from 2009 to 2021. JabberZeus sent out the Zeus banking trojan and IcedID sent out the IcedID banking trojan. These famous malware variants were employed to take usernames, passwords, and other data that authorized access to be obtained to online bank accounts.

As per the Department of Justice, Penchukov and his co-conspirators then wrongly told to banks that they were the victim’s personnel and were allowed to transfer money from the bank accounts of the victims, thus the banks made the unauthorized moving of funds from the victims’ accounts, resulting in the loss of millions of dollars. The groups then used money mules in the U.S. to obtain the fake transfers, pull out the funds, and then transfer the money to an account in another country under the command of Penchukov and his partners in crime.

Penchukov was charged in 2012 for his job in the JabberZeus group and was put on the
Federal Bureau of Investigation’s (FBI) Most Wanted List, where he lasted for more or less ten years. Though on the FBI’s Most Wanted List, Penchukov headed the IcedID group between November 2018 and February 2021. IcedID likewise corrupted devices with malware to take banking details. The IcedID trojan can additionally be utilized to send other malware payloads, such as ransomware, like the scenario with the episode in October 2020 at the University of Vermont Medical Center.

Penchukov was caught in Switzerland in 2022 and was extradited to the U.S.A. in 2023. On February 15, 2024, Penchukov made an appearance in court in Lincoln, Nebraska, and confessed to one count of conspiracy to undertake a Racketeer Influenced and Corrupt Organizations (RICO) Act offense for his part in the JabberZeus gang, and one count of conspiracy to carry out wire fraud for his job in the IcedID group. Penchukov is facing around 40 years imprisonment – approximately 20 years for every count that will begin on May 9, 2024.

LockBit RaaS Infrastructure Stopped by International Law Enforcement Operation

The high-profile LockBit ransomware-as-a-service (RaaS) group has been significantly frustrated by an international law enforcement campaign that seized the group’s infrastructure, which includes servers, Tor sites, its affiliate site, public-facing data leak site, Stealbit data exfiltration software, and over 200 cryptocurrency wallets. Two persons who performed attacks employing LockBit ransomware were caught in Ukraine And Poland, and they are going to be extradited to the United States to undergo trial. The U S and French judicial bodies have likewise issued three worldwide arrest warrants and five criminal cases. Over 1,000 decryption keys were seized and a free decryptor for LockBit 3.0 was made, which is accessible on the No More Ransom page. The seizure of the cryptocurrency wallets implies it may be likely for victims to retrieve a portion of the ransom payments.

The UK’s National Crime Agency (NCA) named LockBit as today’s most dangerous cybercrime group. The RaaS group has been active for four years already and has attacked many corporations all over the world, and in Quarter 3 of 2023, the gang had 275 new victims put onto its data leak webpage. The group has carried out numerous cyber attacks on critical infrastructure organizations, which include healthcare institutions, and the attacks have resulted in the loss of billions of dollars. As per the Department of Justice, the group performed attacks on above 2,000 victims, released ransom demands valued at millions of dollars, and was paid about $120 million.

Law enforcement bureaus in 10 countries took part in “Operation Cronos,” which was led by the NCA and arranged by Eurojust And Europol. The operation began in April 2022 and has contributed to the shutdown of 34 servers in Germany, France Finland the Netherlands, Australia Switzerland the United Kingdom and the United States, and over 14,000 rogue accounts were found and forwarded for deletion by the authorities. LockBit members utilized the accounts for organizing tools and software employed in attacks and for saving information stolen from victims.

The affiliate panel today exhibits an announcement for all affiliates located in the FBI, NCA, Europol, and the Operation Cronos Law Enforcement Task Force. The police have managed LockBit’s platform and gathered all the data on its servers. These details consist of the source code of the victims, the sum of money stolen, discussions, and others.

LockBitSupp is the threat actor that handles the LockBit RaaS operation, with the LockBitSupp persona thought to be operated by one or two people. The Russian-speaking attacker said that the police authorities’ operation explored a critical PHP vulnerability, CVE-2023-3824, that was first revealed in August 2023. The vulnerability results in a stack buffer overflow, possible remote code execution,
memory corruption.

The capture of the group’s infrastructure is substantial and the level of the data breach might be of concern to the gang’s affiliates, specifically those that dwell in areas where authorities may them. It is impossible, nonetheless, that the group core members will be taken to court as they are thought to be residing in Russia. They may decide to rebuild and come back with a new group operation, as ransomware gangs generally do follow authorities’ interruption.

The U.S. Department of State is additionally giving a reward of around $15 million through the Transnational Organized Crime Rewards Program for any person with tips concerning LockBit associates, such as a reward of about $10 million for data resulting in the detection or position of any individual who retains a leadership part in the LockBit operation, and a prize of around $5 million for tips that contributes to the capture and/or indictment of any person conspiring to get involved in or seeking to take part in LockBit ransomware activities.

 

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA