Coalition of Internationals Law enforcement agencies, including the US Federal Bureau of Investigation and the UK’s National Crime Agency, have disrupted the operations of the notorious LockBit ransomware gang.
LockBit’s dark leak site — where the group publicly lists its victims and threatens to leak their stolen data unless a ransom is paid — was replaced with a law enforcement notice on Monday.
Since first emerging as a ransomware operation in late 2019, LockBit has become one of the world’s most prolific cybercrime gangs, targeting victims around the world and netting millions of dollars in extorted ransom payments.
Hattie Hafenrichter, a spokeswoman for the UK’s National Crime Agency, confirmed to TechCrunch that “LockBit services have been disrupted as a result of international law enforcement action.” A message on the defunct website confirmed that the site is “now under the control of the UK’s National Crime Agency, working in close collaboration with the FBI and the international law enforcement task force, ‘Operation Cronos.’
At the time of writing, the site is now home to a slew of information revealing LockBit’s features and functionality, including back-end leaks and details about LockBit’s alleged mastermind known as LockBitSupp.
A photo of the now defunct LockBit dark site. Image Credits: TechCrunch (screenshot)
Operation Time is a task force led by the NCA and coordinated in Europe by law enforcement agencies Europol and Eurojust. Other international law enforcement agencies from Australia, Canada, France, Finland, Germany, the Netherlands, Japan, Sweden, Switzerland and the United States also participated in the ransomware removal operation.
In a statement on Tuesday, Europol confirmed that the months-long operation “resulted in the compromise of LockBit’s main platform and other critical infrastructure that enabled their criminal enterprise.” This includes the takedown of 34 servers across Europe, the United Kingdom, and the United States, along with the seizure of more than 200 cryptocurrency wallets.
It is not yet known how much cryptocurrency was stored in these wallets or how much was seized by the authorities.
Separately, the US Department of Justice unsealed charges against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev, for their alleged involvement in launching LockBit cyberattacks.
The Justice Department previously charged three other alleged LockBit ransomware members: Mikhail Vasiliev, a dual citizen of Russia and Canada, is currently in custody in Canada awaiting extradition to the US; and Russian national Ruslan Magomedovich Astamirov is in US custody awaiting trial. A third suspected member, Mikhail Pavlovich Matveev, also known as Wazawaka, is believed to be living in the Russian enclave of Kaliningrad and remains subject to a $10 million US government reward for information leading to his arrest.
Two alleged LockBit actors were also arrested in Poland and Ukraine at the request of French judicial authorities.
Before Monday’s takedown, LockBit claimed on its leaked dark web website that it was “located in the Netherlands, completely apolitical and only interested in money.”
As part of Operation Cronos, law enforcement says they have obtained decryption keys from LockBit’s seized infrastructure to help victims of the ransomware gang regain access to their data.
Allan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, tells TechCrunch that this action “is absolutely the end of the LockBit operation in its current form.”
“While the main representative of the LockBit operation, LockBitSupp, will not be arrested, its operation is crippled and its infrastructure is completely exposed. Based on previous takedowns like this, this will have a serious impact on its reputation and ability to attract new affiliates in the future,” Liska said.
According to the DOJ, LockBit has been used in approximately 2,000 ransomware attacks against victim systems in the US and worldwide and has received more than $120 million in ransom payments.
Matt Hull, head of threat intelligence at UK-based cybersecurity firm NCC Group, told TechCrunch that the company recorded more than a thousand LockBit victims in 2023 alone, or “22% of all ransomware victims we identified for the entire year”.
LockBit and its affiliates claimed responsibility for hacking some of the largest organizations in the world. The group last year claimed responsibility for attacks against aerospace giant Boeing, chipmaker TSMC and British postal giant Royal Mail. In recent months, LockBit claimed responsibility for a ransomware attack in Fulton County, Georgia in the US state that disrupted essential services in the county for weeks, and for cyberattacks targeting India’s state-run aerospace research laboratory and one of its largest financial giants of India.
Monday’s takedown is the latest in a series of law enforcement actions targeting ransomware gangs. In December, a group of international law enforcement agencies announced they had taken down the dark web leak of the notorious ransomware gang, known as ALPHV or BlackCat, which claimed several high-profile victims, including the news-sharing website Reddit, healthcare company Norton and Barts Health London NHS Trust.
Read more at TechCrunch:
