In a major victory against cybercrime, law enforcement agencies from 11 countries have disrupted the operations of LockBit, said to be the world's most prolific ransomware group.
The National Crime Agency, revealed details of an international disruption campaign targeting LockBit, with the coordinated global action,dubbed Operation Cronos.
According to the NCA, LockBit has been in operation for four years and has been behind thousands of ransomware attacks worldwide, costing victims billions in ransom payments and recovery costs. The group operated a ransomware-as-a-service model, providing tools and infrastructure to a network of hackers or "affiliates" to carry out the attacks.
Once a victim's network was infected, data was stolen and systems encrypted. A ransom payment in cryptocurrency would then be demanded to decrypt files and prevent stolen data from being leaked online. The NCA said LockBit ran the world's most harmful cybercrime operation.
Through Operation Cronos, the NCA claims to have infiltrated LockBit's network and taken control of its primary infrastructure. This includes the group's dark web leak site, which was used to publish and threaten releasing stolen victim data. The NCA has obtained LockBit's source code and intelligence about its operations and affiliates.
"The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims."- NCA news post reads.
"The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world."
Stealbit- LockBit's Data Exfiltration Tool
According to the NCA, LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data.
Agency noted, over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.
Disrupt Notorious LockBit Ransomware Gang |
LockBit Members Arrested and Crypto Account Freezed
As part of the disruption, the NCA and FBI seized LockBit's data exfiltration infrastructure across three countries. 28 servers linked to LockBit affiliates were also taken down. Beyond the technical sabotage, over 200 cryptocurrency accounts connected to LockBit were frozen as part of actions coordinated by Europol.
Several alleged LockBit actors were arrested in Poland, Ukraine and the US. This includes two defendants who now face prosecution in the US for deploying LockBit ransomware attacks. Indictments were also unsealed against two Russian nationals accused of participating in the scheme.
With the indictment unsealed today, a total of five LockBit members have now been charged for their participation in the LockBit conspiracy.
Release of LockBit Decryption Keys
The wide-ranging coordinated effort has essentially locked LockBit out of their own systems. The NCA says it can now assist victims by providing over 1,000 decryption keys obtained from LockBit's infrastructure. This will allow UK victims to potentially recover encrypted data without paying ransom.
Beginning today, victims targeted by this malware are encouraged to contact the FBI via this form to enable law enforcement to determine whether affected systems can be successfully decrypted.
NCA Director General Graeme Biggar called the operation "ground-breaking" and said it shows no criminal group is beyond the reach of authorities. However, he warned LockBit may try to rebuild and said the NCA will continue targeting the group and its associates.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
The operation began from work by the NCA-led regional cybercrime unit in the southwest of England. It demonstrates the power of global cooperation between law enforcement agencies to disrupt and prosecute cybercriminals, regardless of their location.
“Today’s actions are another down payment on our pledge to continue dismantling the ecosystem fueling cybercrime by prioritizing disruptions and placing victims first,” said Deputy Attorney General Lisa Monaco.
Ransomware attacks are becoming increasingly common, with hospitals, schools, businesses and other organizations being targeted. The disruption of LockBit deals a major blow to one of the most aggressive ransomware operations. However, experts say the cat-and-mouse game will continue as new cybercrime groups emerge.
Users and organizations must remain vigilant. Strong security practices like keeping software updated, enabling multi-factor authentication, training staff to spot phishing attempts, and maintaining offline backups can help reduce vulnerability. Reporting attacks early to law enforcement also helps agencies like the NCA gather intelligence and assist victims.
While the LockBit takedown does not eliminate the ransomware threat, it demonstrates that cybercriminals are not untouchable.
Global cooperation and technical expertise within law enforcement can produce successful operations against even the most sophisticated groups. The Operation Cronos partners deserve credit for their efforts to make cyberspace safer from extortion and theft.
Images: