Police arrest suspected LockBit operator as the ransomware gang spills new data

A dual Russian and Canadian national linked to the LockBit ransomware operation has been arrested over his alleged involvement in attacks targeting critical infrastructure and large industrial groups worldwide.

Mikhail Vasiliev, 33, was arrested in Ontario, Canada on October 26 following an investigation led by the French National Gendarmerie with the help of Europol’s European Cybercrime Centre, the FBI, and the Canadian Royal Canadian Mounted Police. During the arrest, police seized eight computers, 32 external hard drives, and €400,000 in cryptocurrencies, Europol said.

The arrest follows a similar action in Ukraine in October last year when a joint international law enforcement operation led to the arrest of two of his accomplices.

Europol says Vasiliev, described as “one of the world’s most prolific ransomware operators,” was one of its high-value targets due to his involvement in numerous high-profile ransomware cases. The EU police agency added that he is known for trying to extort victims with ransom demands between €5 to €70 million.

A separate press release from the Department of Justice notes that LockBit has claimed at least 1,000 victims in the United States and has extracted tens of millions of dollars in actual ransom payments from their victims.

Vasiliev is awaiting extradition to the United States, where is charged with conspiracy to intentionally damage protected computers and to transmit ransom demands. If convicted, he faces a maximum of five years in prison. 

“Yesterday’s successful arrest demonstrates our ability to maintain and apply relentless pressure against our adversaries,” said FBI Deputy Director Paul Abbate. “The FBI’s persistent investigative efforts, in close collaboration with our federal and international partners, illustrates our commitment to using all of our resources to ensure we protect the American public from these global cyber threat actors.”

Brett Callow, a ransomware expert and threat analyst at Emisosft, tells TechCrunch that Vasiliev’s arrest could signal the end of the LockBit operation “as other cybercriminals will lose confidence in the integrity of the operation.

“Unfortunately, the group will probably rebrand, but this is nonetheless a significant arrest,” Callow added. “Vasiliev could well lead law enforcement to others involved in the operation.”

Specific victims targeted by the suspected LockBit operator were not named by Europol. However, France’s involvement in the operation suggests Vasiliev could be linked to a recent attack on French aerospace and defense group Thales.

LockBit, a prominent ransomware operation that’s previously claimed attacks on tech manufacturer Foxconn, U.K. health service vendor Advanced, and IT giant Accenture, added Thales to its leak site on October 31. The group claimed to have published data stolen from the company today, which it describes as “very sensitive” and “high risk” in nature. Contents of the data leak include commercial documents, accounting files and customer files, according to LockBit, though the files had not been published at the time of publication.

“As far as customers are concerned, you can approach the relevant organizations to consider taking legal action against this company that has greatly neglected the rules of confidentiality,” a message on the LockBit leak site reads.

Thales spokesperson Cedric Leurquin did not immediately respond to our request for comment.

LockBit also claims to have today leaked 40 terabytes of data stolen from German automotive giant Continental, and samples of the data suggest that the gang has accessed technical documents and source code. Though a ransom demand was not explicitly stated, the ransomware gang’s leak page claims to offer access to the full tranche of stolen data for $50 million.

Continental spokesperson Marc Siedler told TechCrunch that the company’s investigation into the incident has revealed that “attackers were also able to steal some data from the affected IT systems,” but refused to say what types of data were stolen or how many customers and employees have been affected.

Police arrest suspected LockBit operator as the ransomware gang spills new data by Carly Page originally published on TechCrunch

Noetic Cyber emerges from stealth with $15M led by Energy Impact Partners

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, has launched from stealth with a Series A funding round of $15 million led by Energy Impact Partners.

The round was also backed by Noetic’s existing investors, TenEleven Ventures and GlassWing Ventures, and brings the total amount of funds raised by the startup to $20 million following a $5 million seed round. Shawn Cherian, a partner at Energy Impact Partners, will join the Noetic board, while Niloofar Razi Howe, a senior operating partner at the investment firm, will join Noetic’s advisory board.

“Noetic is a true market disruptor, offering an innovative way to fix the cyber asset visibility problem — a growing and persistent challenge in today’s threat landscape,” said Howe.

The Massachusetts-based startup claims to be taking a new approach to the cyber asset management problem. Unlike traditional solutions, Noetic is not agent-based, instead using API aggregation and correlation to draw insights from multiple security and IT management tools.

“What makes us different is that we’re putting orchestration and automation at the heart of the solution, so we’re not just showing security leaders that they have problems, but we’re helping them to fix them,” Paul Ayers, CEO and co-founder of Noetic Cyber tells TechCrunch.

Ayer was previously a top exec at PGP Corporation (acquired by Symantec for $370 million) and Vormetric (acquired by Thales for $400 million) and founded Noetic Cyber with Allen Roger and Allen Hadden, who have previously worked at cybersecurity vendors including Authentica, Raptor and Axent. All three were also integral to the development of Resilient Systems, which was acquired by IBM.

“The founding team’s experience in the security, orchestration, automation and response market gives us unique experience and insights to make automation a key pillar of the solution,” Ayers said. “Our model gives you the certainty to make automation possible, the goal is to find and fix problems continuously, getting assets back to a secure state.”

“The development of the technology has been impacted by the current cyber landscape, and the pandemic, as some of the market drivers we’ve seen around the adoption of cloud services, and the increased use of unmanaged devices by remote workers, are driving a great need for accurate cyber asset discovery and management.”

The company, which currently has 20 employees, says it plans to use the newly raised funds to double its headcount by the end of the year, as well as increase its go-to-market capability in the U.S. and the U.K. to grow its customer base and revenue growth.

“In terms of technology development, this investment allows us to continue to add development and product management talent to the team to build on our cyber asset management platform,” Ayers said. 

“The beauty of our approach is that it allows us to easily add more applications and use cases on top of our core asset visibility and management model. We will continue to add more connectors to support customer use cases and will be bringing a comprehensive controls package to market later in 2021, as well as a community edition in 2022.”

Google will let enterprises store their Google Workspace encryption keys

As ubiquitous as Google Docs has become in the last year alone, a major criticism often overlooked by the countless workplaces who use it is that it isn’t end-to-end encrypted, allowing Google — or any requesting government agency — access to a company’s files. But Google is finally addressing that key complaint with a round of updates that will let customers shield their data by storing their own encryption keys.

Google Workspace, the company’s enterprise offering that includes Google Docs, Slides and Sheets, is adding client-side encryption so that a company’s data will be indecipherable to Google.

Companies using Google Workspace can store their encryption keys with one of four partners for now: Flowcrypt, Futurex, Thales, or Virtru, which are compatible with Google’s specifications. The move is largely aimed at regulated industries — like finance, healthcare, and defense — where intellectual property and sensitive data are subject to intense privacy and compliance rules.

(Image: Google / supplied)

The real magic lands later in the year when Google will publish details of an API that will let enterprise customers build their own in-house key service, allowing workplaces to retain direct control of their encryption keys. That means if the government wants that company’s data, they have to knock on their front door — and not sneak around the back by serving the key holder with a legal demand.

Google published technical details of how the client-side encryption feature works, and will roll out as a beta in the coming weeks.

Tech companies giving their corporate customers control of their own encryption keys has been a growing trend in recent years. Slack and cloud vendor Egnyte bucked the trend by allowing their enterprise users to store their own encryption keys, effectively cutting themselves out of the surveillance loop. But Google has dragged its feet on encryption for so long that startups are working to build alternatives that bake in encryption from the ground up.

Google said it’s also pushing out new trust rules for how files are shared in Google Drive to give administrators more granularity on how different levels of sensitive files can be shared, and new data classification labels to mark documents with a level of sensitivity such as “secret” or “internal”.

The company said it’s improving its malware protection efforts by now blocking phishing and malware shared from within organizations. The aim is to help cut down on employees mistakenly sharing malicious documents.