An international operation led by UK and US law enforcement has severely disrupted “the world’s most harmful cybercrime group”, the Russian-linked ransomware specialist LockBit, officials announced on Tuesday.
LockBit and its affiliates have targeted governments, major companies, schools and hospitals, causing billions of dollars of damage and extracting tens of millions in ransoms from victims.
Officials from Britain’s National Crime Agency (NCA), working with the US Federal Bureau of Investigation (FBI), Europol and agencies from nine other countries in Operation Cronos, said in a news conference in London that it had infiltrated LockBit’s network and taken control of its services.
“We have hacked the hackers, we have taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” NCA director-general Graeme Biggar told reporters.
LockBit’s website – selling services that allow people to organise cyberattacks and hold data until a ransom is paid appears – was taken over on Monday evening.
A message appeared on the site stating that it was “now under control of law enforcement”.
“Together, we have arrested, indicted or sanctioned some of the perpetrators and we have gained unprecedented and comprehensive access to Lockbit’s systems,” Biggar said. “As of today, Lockbit is effectively redundant. Lockbit has been locked out”.
A representative for Lockbit did not respond to messages from Reuters seeking comment.
The US Justice Department (DOJ) said that the law enforcement agencies had seized control of “numerous public-facing websites used by LockBit to connect to the organisation’s infrastructure” and taken control of servers used by LockBit administrators.
The NCA added that it had obtained more than 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data.
Biggar said that the network had been behind 25% of all cyberattacks in the past year.
LockBit has targeted more than 2,000 victims and received more than $120mn in ransom payments since it formed four years ago, according to the DOJ.
In November last year, Lockbit published internal data from Boeing, one of the world’s largest defence and space contractors, and said that the US arm of China’s ICBC had paid a ransom following an attack that disrupted trades in the US Treasury market.
In early 2023, Britain’s Royal Mail faced severe disruption after an attack by the group.
In January 2023, US law enforcers shut down the Hive ransomware operation which extorted some $100mn from more than 1,500 victims worldwide.
Since then, LockBit has been seen as the biggest current threat.
Hive and LockBit are part of what cybersecurity experts call a “ransomware as a service” style, or RaaS – a business that leases its software and methods to others to use in extorting money.
Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, told AFP last year that this structure makes it possible for criminals with minimal computer fluency to get into ransomware by paying others for their expertise.
On the so-called darkweb, providers of ransomware services pitch their products openly.
At one end are the initial access brokers, who specialise in breaking into corporate or institutional computer systems.
They then sell that access to the hacker, or ransomware operator.
However, the operator depends on RaaS developers like Hive or LockBit, which have the programming skills to create the malware needed to carry out the operation.
Typically, their programs – once inserted by the ransomware operator into a target’s IT systems – are manipulated to freeze, via encryption, the target’s files and data.
RaaS developers offer a full service to the operators, for a large share of the ransom paid out, said Ropek.
When the ransomware is planted and activated, the target receives a message telling them how much to pay to get their data unencrypted.
That ransom can run from thousands to millions of dollars.
On Tuesday the US unsealed an indictment against two Russian nationals, bringing to five the number of Russians it has charged in connection with LockBit.
In a separate notice, the US Treasury Department said it is imposing sanctions on the pair, affiliates of LockBit, who “actively engaged” in ransomware attacks.
Biggar said that a “large concentration” of the cyber criminals are in Russia and are Russian-speaking, but law enforcement agencies have not seen any direct support for LockBit from the Russian state.
“There is clearly some tolerance of cyber criminality within Russia,” he added.
A screenshot taken on Monday shows a takedown notice that a group of global intelligence agencies issued to a darkweb site called Lockbit.
A screenshot taken on Tuesday shows how a darkweb site called Lockbit appears after law enforcement agencies took control of it and turned it into a leak site about Lockbit itself.