The U.S. Federal Bureau of Investigation and the U.K. National Crime Agency have stopped LockBit’s activities.
LockBit’s dark web leak site, where it identifies victims and threatens to expose stolen data until a ransom is paid, was replaced with a law enforcement alert on Monday.
LockBit, a ransomware operation that began in late 2019, has become one of the world’s most prolific cybercrime gangs, extorting victims worldwide and earning millions of dollars.
U.K. National Crime Agency spokesman Hattie Hafenrichter told Eltrys that “LockBit services have been disrupted as a result of international law enforcement action.” The downed leak site said that it is “now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
At press time, the site contains backend dumps and information about LockBit’s accused mastermind, LockBitSupp.
The NCA leads Operation Chronos, coordinated by Europol and Eurojust across Europe. International police from Australia, Canada, France, Finland, Germany, the Netherlands, Japan, Sweden, Switzerland, and the US participated in the ransomware takedown.
Europol said Tuesday that the months-long operation “resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise.” This involves the seizure of over 200 bitcoin wallets and 34 servers across Europe, the U.K., and the U.S.
These wallets had an unknown amount of bitcoin, which the authorities confiscated.
Meanwhile, the U.S. Justice Department indicted two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev, for LockBit intrusions.
The DOJ previously accused three additional LockBit ransomware members: Mikhail Vasiliev, a dual Russian-Canadian citizen, is in Canada awaiting extradition, and Ruslan Magomedovich Astamirov is in the U.S. awaiting trial. The United States wants Mikhail Pavlovich Matveev, also known as Wazawaka, who is a third alleged member, for $10 million.
French prosecutors requested the arrest of two LockBit suspects in Poland and Ukraine.
Before Monday’s removal, LockBit’s dark web leak site said it was “located in the Netherlands, completely apolitical, and only interested in money.”
Law enforcement said they have decryption keys from LockBit’s confiscated infrastructure to enable victims to restore data access as part of Operation Cronos.
Eltrys quotes Future ransomware specialist and threat intelligence analyst Allan Liska said that this “is absolutely the end of the LockBit operation in its current form.”
LockBitSupp, the LockBit operation’s spokesman, won’t be jailed, but his organization is crippled and the infrastructure is naked. Based on prior takedowns, this will hurt his reputation and ability to recruit new affiliates, Liska added.
The DOJ estimates that LockBit has been utilized in 2,000 ransomware operations against U.S. and international victim systems and has obtained over $120 million in extortion.
Eltrys said that NCC Group, a U.K. cybersecurity firm, registered more than 1,000 LockBit victims in 2023, or “22% of all ransomware victims we identified for the whole year.”
LockBit and its allies claim to have hacked major corporations. The organization claimed assaults on Boeing, TSMC, and Royal Mail last year. LockBit has claimed responsibility for a ransomware assault on Georgia’s Fulton County, which interrupted crucial county functions for weeks, and hacks on India’s state-owned aerospace research center and a major financial institution in recent months.
The Monday takedown is the latest law enforcement effort against ransomware groups. In December, international law enforcement agencies seized the dark web leak site of the notorious ransomware gang ALPHV, or BlackCat, which targeted Reddit, Norton, and Barts Health NHS Trust.
