U.S. Law Enforcement Seize Bulletproof Hoster LolekHosted.net

Date:

August 14, 2023

World map

U.S. authorities announced the indictment of a Polish national for “computer fraud conspiracy, wire fraud conspiracy, and international money laundering” for his role in operating a “bulletproof webhosting” service that “facilitated the operation of ransomware attacks and the subsequent laundering of the illicit proceeds.”

According to court records, Artur Karol Grabowski operated webhosting company LolekHosted that facilitated criminal threat actors responsible for brute-force, phishing, and other attacks that infected victims with the NetWalker and other ransomware variants.

“Grabowski allegedly facilitated the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement,” the Justice Department stated.

“The NetWalker ransomware was deployed on approximately 400 victim company networks, including municipalities, hospitals, law enforcement and emergency services, school districts, colleges, and universities, which resulted in the payment of more than 5,000 bitcoin in ransoms (currently valued at approximately $146 million)… Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims.”

Takeaway: Bulletproof Hosting (BPH) companies have been the bane of law enforcement for about as long as there has been an Internet to police. These providers typically operate in jurisdictions which have lenient laws regarding illicit online conduct, and as such they have been known to openly facilitate criminal operations unapologetically.

The case of LolekHosted and the criminal activities they supported will be interesting given that Grabowski, the operator indicted, is a Polish national and therefore much more likely to actually be convicted of a crime than other BPH operators who may be located in regions beyond the reach of Western authorities.

There is a distinction to be made between traditional BPH operations and what Halcyon researchers have dubbed Command and Control Providers (C2P), who play a similar role in facilitating the larger Ransomware Economyand state-sponsored APT operations.

Similar to Bulletproof Hosting companies who cater to attackers and criminals and allow malicious activity to thrive on their networks, C2Ps are ostensibly legitimate Internet Service Providers (ISPs) who sell services to multiple threat actors while assuming an otherwise legal business profile.

C2Ps rely on legal loopholes in their Terms of Service and Privacy Policies that do not require them to vet their customers, enabling threat actors to abuse their platforms for malicious operations while enjoying plausible deniability.

Halcyon researchers recently documented one such C2P operation called Cloudzy that was registered in the U.S. state of Wyoming but was actually being operated out of Tehran, Iran. It was assessed that about half of all activity on Cloudzy networks was malicious and included APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments.

Malicious activity was also observed on Cloudzy networks from a sanctioned Israeli spyware vendor whose tools are known to target civilians, as well as several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.

“What stood out most to us is the fact that we have ostensibly legitimate ISPs providing attack infrastructure to nation-state threat actors, ransomware operators, and other possibly sanctioned entities while under no obligation to take any action whatsoever to stem the illicit activity,” Ryan Smith, CTO and co-founder at Halcyon, told The Record.

“In fact, they are profiting from it… These Command-and-Control Providers — knowingly or unknowingly — are essentially another pillar in the global attack ecosystem, and a major player in the ransomware economy.”

In the report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), Halcyon researchers also demonstrate a unique method for identifying C2P entities and show how they were able to observe precursors to major ransomware and espionage campaigns as the attack infrastructure on Cloudzy was being set up.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.