Global law enforcement agencies strike against LockBit ransomware group, disrupting operations, seizing assets

The U.S. Department of Justice (DoJ) joined the U.K. and international law enforcement partners in London to officially announce the disruption of the LockBit ransomware group. Recognized as one of the most prolific ransomware groups that targeted critical infrastructure and other public and private organizations globally, LockBit has compromised over 2,000 entities, amassed upwards of US$120 million in ransom payments, and issued ransom demands amounting to several hundred million dollars. Furthermore, the agencies disclosed specifics of a coordinated international effort aimed at dismantling LockBit, identified as the most detrimental cybercrime syndicate worldwide.

The U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement partners seized numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data.

The crackdown against the LockBit ransomware group has significantly degraded the capabilities of the group responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world. The operation demonstrates both capability and commitment to defend cybersecurity and national security from any malicious actor who seeks to impact the way of life. 

The LockBit ransomware variant, like other major ransomware variants, operates in the ‘ransomware-as-a-service’ (RaaS) model, in which administrators, also called developers, design the ransomware, recruit other members — called affiliates — to deploy it, and maintain an online software dashboard called a ‘control panel’ to provide the affiliates with the tools necessary to deploy LockBit. 

Affiliates, in turn, identify and unlawfully access vulnerable computer systems, sometimes through their hacking or at other times by purchasing stolen access credentials from others. Using the control panel operated by the developers, affiliates then deploy LockBit within the victim computer system, allowing them to encrypt and steal data for which a ransom is demanded to decrypt or avoid publication on a public website maintained by the LockBit developers, often called a data leak site.

The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.

The agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organizations throughout the world. Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.

The NCA, working closely with the FBI, and supported by international partners from nine other countries, have been covertly investigating LockBit as part of a dedicated task force called ‘Operation Cronos.’

NCA detailed that LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. “Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down. The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates.” 

It added that in wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, and over 200 cryptocurrency accounts linked to the group have been frozen.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners,” according to Graeme Biggar, National Crime Agency Director General. “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.” 

He added that as of today, LockBit hackers are locked out. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

“The National Crime Agency’s world-leading expertise has delivered a major blow to the people behind the most prolific ransomware strain in the world,” said James Cleverly, Home Secretary. “The criminals running LockBit are sophisticated and highly organized, but they have not been able to escape the arm of UK law enforcement and our international partners. The UK has severely disrupted their sinister ambitions and we will continue going after criminal groups who target our businesses and institutions.” 

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S and U.K. law enforcement are taking away the keys to their criminal operation,” according to U.S. Attorney General Merrick B. Garland. “And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the U.S. Justice Department and its international partners have dismantled. It will not be the last.”

“Today, the FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the most prolific ransomware variants across the globe,” Christopher A. Wray, FBI director, said. “We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable.”

The DoJ also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as ‘Bassterlord,’ with deploying LockBit against numerous victims throughout the U.S., including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Also, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.

“Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of LockBit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “And, even with today’s disruption of LockBit, we will not stop there. Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership — from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”

Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption. As disclosed by those search warrants, those servers were used by LockBit administrators to host the so-called ‘StealBit’ platform, a criminal tool used by LockBit members to organize and transfer victim data.

With the latest indictment unsealed, a total of five LockBit members have now been charged for their participation in the LockBit conspiracy. In May last year, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Matveev with using different ransomware variants, including LockBit, to attack numerous victims throughout the U.S., including the Washington, D.C., Metropolitan Police Department. 

The move by the security agencies come at a time when data released by industrial cybersecurity company Dragos revealed a marked rise in cyber threat activities and disruptions across critical global infrastructure, attributing this surge to escalating global tensions. The report notably identified the emergence of new operational technology (OT) threat groups, such as Voltzite, which has ties to the Volt Typhoon. It also disclosed that OT vulnerabilities have accumulated at an unprecedented rate, akin to the rapid pile-up of unread emails in an inbox over the past year.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.