The malicious ransomware variant has been deployed by criminal hackers to extort tens of millions of dollars from victims around the world — ranging from global banks to local schools. It is widely believed to be operated from Russia.
As part of the joint operation, two people were arrested Tuesday morning in Poland and Ukraine, and over 200 cryptocurrency accounts were frozen, according to the NCA’s statement. In the United States, the Department of Justice said it has criminally charged two Russian nationals with using LockBit to carry out ransomware attacks, and said both are in U.S. custody.
In a statement, NCA Director General Graeme Biggar described LockBit as the “most harmful cybercrime group” in the world. “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out.”
British law enforcement officials said they had obtained more than 1,000 “decryption keys” that could be used to help recover victims’ stolen data, and had seized the wider infrastructure deployed by LockBit to steal that data, as well as servers belonging to 28 of its affiliates.
The NCA reveals details of an international disruption campaign targeting the world’s most harmful cyber crime group, Lockbit.
Watch our video and read on to learn more about Lockbit and why this is a huge step in our collective fight against cyber crime. pic.twitter.com/m00VFWkR9Z
— National Crime Agency (NCA) (@NCA_UK) February 20, 2024
The first sign of this news appeared late Monday, when a notice appeared on LockBit’s website that read: “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
Criminals use LockBit ransomware to hack into the internal databases of targeted organizations, extract sensitive data and attempt to extort money from victims. According to the Justice Department, the malicious software has been used to extort more than $120 million in ransom payments from over 2,000 victims. In 2022, it was the most deployed piece of ransomware in the world, according to the U.S. Cybersecurity and Infrastructure Security Agency.
“LockBit is one of the most significant ransomware threats, and many would argue it to be the most prolific group today,” Jason Nurse, a cybersecurity expert at the University of Kent in England, said in an email Tuesday. “These groups are well-funded, operate like a business and are extremely careful in their approach,” he added, describing the takedown as significant.
U.S. officials categorize LockBit as a “Ransomware-as-a-Service” model, meaning it provides third-party criminals with access to a variant of the group’s ransomware in return for a one-time fee or ongoing payments. “This substantially increases the scale of LockBit attacks, and has helped it become so prolific,” Nurse said.
According to the FBI, the tool has been used to execute more than 1,700 cyberattacks in the United States, its targets ranging from local schools to global aerospace giants.
Nurse said LockBit’s creators appear to be financially motivated, using their malware to compromise systems and demand ransoms. “If payments aren’t made, the group threatens to publish stolen data on leak websites, a tactic known as double extortion,” he said. In November, Reuters reported that LockBit published data stolen from Boeing after a ransomware attack confirmed by Boeing.
The same month, LockBit perpetrated a ransomware attack on the financial services division of ICBC, a major Chinese bank, rocking financial markets in a rare attack on a banking-sector target. The tool was also used to cripple Britain’s mail service last year, disrupting international parcel exports for a week.
In 2022, LockBit issued an apology after it said its ransomware was used to target a children’s hospital. It offered the hospital a decryptor to unlock its systems — and reportedly issued policy guidance that banned criminals from using its software in attacks “where damage to the files could lead to death.”
British law enforcement agencies have previously warned against focusing too much on tackling individual variants of ransomware, comparing the strategy to a game of whack-a-mole. “While on the surface, an attack can be attributed to a piece of ransomware (such as Lockbit), the reality is more nuanced, with a number of cybercriminal actors involved throughout the process,” NCA officials said. Disrupting individual ransomware variants “is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed.”
Nurse said the wider effect of Operation Cronos in disbanding LockBit’s criminal operations will depend on whether law enforcement agents succeed in also seizing source code, details of victims and chats between affiliates. “Assuming this is the case, the group and especially its affiliates, may disband their operations, even if only for some period for fear that The National Crime Agency of the UK, the FBI, or Europol could find out their identities and look to arrest them,” he said.
