Two members of the cyberattack criminal group "Rockbit" arrested

The National Police Agency said that European police agencies, with cooperation from police in Japan and other countries, arrested two people believed to be members of Rockbit, a criminal group that repeatedly targets companies and other organizations around the world. announced on the day.

"Rockbit" has been confirmed to cause damage to more than 100 businesses and hospitals in Japan.

According to the National Police Agency, Europol arrested two people by the 20th for launching cyberattacks on critical infrastructure in various countries using ransomware, a computer virus that demands ransom.

The two are believed to be members of Rockbit, a criminal group that repeatedly attacks companies around the world with ransomware, and police from 10 countries, including Japan, cooperated in the investigation.

"Rockbit" is known for its method of publishing stolen data on underground websites if the ransom is not paid.In Japan, in July last year, a large-scale system failure occurred at the container terminal at Nagoya Port, causing a large-scale system failure and So far, more than 100 cases of damage have been confirmed to businesses, hospitals, etc., including the inability to load and unload cargo.

Additionally, in this case, a tool developed by Japanese police and provided to Europol was used to recover stolen data.

The National Police Agency says it will further strengthen cooperation with foreign investigative agencies to crack down on crimes in cyberspace and clarify the actual situation.

“Rockbit” damages businesses and hospitals in Japan as well

"Rockbit" is an international hacker group whose activities have been confirmed since the summer of 2019. In Japan, last year, a container terminal at Nagoya Port was attacked by a cyberattack, making it impossible to load and unload containers for three days. In addition, in 2021, a hospital in Tokushima Prefecture had its electronic medical record data encrypted, resulting in damage such as suspension of accepting new patients for approximately two months, except in the obstetrics department.

The modus operandi is a cyber attack using ransomware, a computer virus that demands a ransom, encrypts the data stored on the target organization's servers, forces them to shut down their business, and then extorts a ransom in exchange for deactivation. is.

According to the security company Mitsui & Co. Secure Direction, more than 140 attack groups using ransomware have been confirmed around the world, and there were 5,089 attacks that may have been attacked in the year up to January this year. Of these, 1,111 were caused by Rockbit, accounting for over 20% of the total.

Takashi Yoshikawa, a senior malware analysis engineer, said, ``Compared to other criminal groups, it is the most active group with the highest number of attacks, and is a major threat to the world.''

According to Mr. Yoshikawa, attacks on organizations related to Japan have been occurring one after another, and at least 68 attacks have been confirmed so far.

Among these, in 2023, the container terminal at Nagoya Port was unable to load and unload containers for about three days, and in 2021, electronic medical record data was encrypted at a municipal hospital in Tokushima Prefecture. The virus has stopped accepting new patients for about two months, with the exception of obstetrics departments, and in 2022, major tire manufacturers and major food manufacturers have also been affected.

Mr. Yoshikawa said, ``Cyber ​​criminals operate in various countries, so it is necessary for investigative agencies in various countries to work together.'' Regarding the latest raid, ``Japanese institutions must also do their part.'' "This allows them to have a strong presence and is thought to serve as a very strong deterrent to other criminals."

On the other hand, even if some members of the group are arrested for cyber crimes by hacker groups, there are many cases where the group resumes its activities by changing its name, so vigilance will be necessary in the future.

Countermeasures include keeping network devices such as VPNs up to date, implementing multi-factor authentication, and backing up data offline.

Mr. Yoshikawa of Mitsui & Co., Ltd. Secure Direction said, ``Many of the countermeasures are basic, as has been said in the past, but the reason why attacks continue is because they have not been implemented easily.I would like you to reconsider the basic countermeasures.'' I am calling for your attention.