• After an international operation took control of its website, the Office of Foreign Asset Control identified two Russian nationals as well as 10 bitcoin and Ethereum addresses.
  • The law enforcement agencies have said that they will provide decryption key to victims.

The U.S. Treasury Department’s sanctions watchdog has added more than a dozen Bitcoin and Ether addresses to its global list, alleging that they are used by ransomware providers.

In a Tuesday statement, the Office of Foreign Asset Control (OFAC identified Artur Sungatov and Ivan Kondratyev as two Russian nationals who were indicted for charges related to the deployment of a ransomware. They also listed 10 bitcoin and Ethereum addresses (none of them containing funds at the time of publication), and prohibited U.S. companies from providing financial services to these two. OFAC and U.S. Department of Justice claim that they are members of the LockBit group, which is one of the most prolific ransomware distribution groups in the world. They have been accused of stealing over $120 million dollars from more than 2,000 victims.

Malicious actors can lock out victims of ransomware attacks unless they pay an amount, usually in cryptocurrency.

Operation Cronos, a coordinated international effort by agencies from the DOJ and Europol as well as the U.K. National Crime Agency, and other countries, seized LockBit’s website and several pages this week. Law enforcement agencies have announced that they will be providing decryption key to victims to allow them to gain access to their devices.

A press statement from Europol states that more than 200 cryptocurrency account linked to LockBit were frozen. Authorities in the U.S.A., U.K., and EU also seized different parts of the infrastructure used by the ransomware group.

Arkham Intelligence data shows that some of the addresses listed on Tuesday by OFAC were for KuCoin Coinspaid Binance and other deposit addresses.

LockBit has been used by municipal entities as well as private companies in many countries.

“The LockBit ransomware variant, like other major ransomware variants, operates in the ‘ransomware-as-a-service’ (RaaS) model, in which administrators, also called developers, design the ransomware, recruit other members — called affiliates — to deploy it, and maintain an online software dashboard called a ‘control panel’ to provide the affiliates with the tools necessary to deploy LockBit,” the DOJ press release said.

Sheldon Reback is the editor.