11-Nation Operation Takes Down World’s ‘Most Harmful’ Cybercriminal Group

Handout via REUTERS/File Photo
A screenshot taken on February 19, 2024 shows a take down notice that a group of global intelligence agencies issued to a dark web site called Lockbit.

An international coalition of law enforcement agencies in 11 countries announced Tuesday that it had taken control of computers and software at the heart of the world’s most prolific ransomware group, giving victims hope that they won’t be forced to make ransom payments to recover data stolen from their computer systems.

The infrastructure seized from the LockBit ransomware gang included hundreds of electronic keys needed to recover the stolen data as well as the site on the dark web, where LockBit leaked data from victims who refused to pay ransoms in cryptocurrency, officials said.

The law enforcement effort, dubbed Operation Cronos, was led by the United Kingdom’s National Crime Agency and included the FBI and other enforcement agencies. The coalition then used the group’s site to mimic its previous operation and begin leaking information about LockBit, posting a countdown timer for files still to come, including one teasing forthcoming information about the anonymous frontman for the gang.

“It’s a thing of beauty. The NCA and FBI are trolling LockBit aggressively,” said Don Smith, vice president at Secureworks, which had its analysis of the group republished by the authorities on the hackers’ site.

Criminals who hack into the internal networks of targeted organizations use ransomware to encrypt the data there and render it unusable. They demand money for the decryption key and sometimes not to publish data they have stolen. According to the Justice Department, LockBit malware has been used to extort more than $120 million in ransom payments from more than 2,000 victims.

The first sign of the takeover appeared late Monday, when a notice appeared on LockBit’s site that read: “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

U.K. and U.S. officials said they won control of 200 financial accounts holding an undisclosed amount of cryptocurrency, the programming source code used to encrypt data and sneak it out of corporate networks, and records of electronic chats with the LockBit affiliates who conducted the actual hacking. One accused participant was arrested in Ukraine and another in Poland, with both now in American custody, while an indictment was unsealed against two others who are presumed to be inside Russia.

LockBit malware has been responsible for about a quarter of all ransomware attacks in the past two years, Secureworks estimated. LockBit is widely believed to be operated from Russia, though its ties to the Russian government, if any, are uncertain.

In 2022, it was the most-deployed piece of ransomware in the world, according to the U.S. Cybersecurity and Infrastructure Security Agency.

LockBit has published data stolen from aerospace giant Boeing and upset financial markets with an attack on the financial services division of a major Chinese bank, ICBC. The tool was also used to cripple Britain’s mail service last year, disrupting international parcel exports for a week. It has hit numerous U.S. cities, school systems and counties, recently including Fulton County in Georgia, where former president Donald Trump faces charges related to his alleged efforts to overturn the 2020 election.

Fulton County officials said Wednesday that some its services, including technology used in its justice system, remained disrupted more than two weeks after the attack – requiring that certain meetings take place in person rather than over the phone or other communications platforms.

NCA Director General Graeme Biggar called LockBit the “most harmful cybercrime group” in the world. “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out,” he said in a statement.

Officials did not reveal how they succeeded in seizing LockBit’s site, but one person close to the operation said it may have taken as long as a year. With ransomware groups hitting critical infrastructure and extorting as much as a $1 billion annually, many acting from within Russia’s borders, tech-enabled takedowns have become a top priority, sometimes getting assistance from intelligence and military agencies as well as law enforcement.

Previous takedowns and arrests have broken some crime rings or dented them. But because some of the top groups operate in a decentralized fashion, essentially offering their services for hire to cybercriminals seeking to penetrate an organization, other ransomware groups were able to offer similar services. In this case, the investigators are threatening the hackers themselves, known as affiliates, warning them on the seized site that they may be in touch and inviting them to come forward first.

LockBit became the top ransomware operation by giving its affiliates, who keep about 80 percent of the ransoms, unusual latitude to negotiate with their targets and publish the pilfered data themselves. Other ransomware gangs handle such duties on behalf of the hackers.

That deeper collaboration between LockBit and the affiliates may have helped investigators penetrate the network. The coalition said it also had gained control of 28 servers belonging to affiliates.

“LockBit is one of the most significant ransomware threats, and many would argue it to be the most prolific group today,” Jason Nurse, a cybersecurity expert at the University of Kent in England, said in an email. “These groups are well-funded, operate like a business and are extremely careful in their approach,” he added.

In 2022, LockBit issued an apology after it said its ransomware was used to target a children’s hospital. It offered the hospital a code to unlock its systems – and reportedly issued policy guidance that banned criminals from using its software in attacks “where damage to the files could lead to death.”

But the loose affiliate model means that every few months, someone installed LockBit on a sensitive target anyway, researchers said.

British law enforcement agencies have previously warned against focusing too much on tackling individual variants of ransomware. Disrupting individual ransomware variants “is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed,” the NCA said.

But U.K. and U.S. officials hope that LockBit and its affiliates will disband their operations, at least temporarily, out of concern that the authorities will be able to identify them and arrest at least those affiliates who are outside Russia and China.