International task force takes down world’s biggest ransomware group LockBit

By Hongeun Im, The Readable
Feb. 22, 2024 9:50PM GMT+9

A collaborative task force named “Operation Cronos,” involving the National Crime Agency (NCA), the Federal Bureau of Investigation (FBI), Europol, and other international partners, successfully infiltrated and disrupted LockBit, one of the world's most prevalent ransomware variants.

In a press release issued by the National Crime Agency (NCA) on Tuesday, it was announced that the task force, as part of Operation Cronos, arrested two LockBit affiliates, disabled over 200 cryptocurrency accounts, and obtained more than 1,000 decryption keys, an essential component that allows victims of ransomware to recover their compromised data. The affiliates were apprehended in Poland and Ukraine, while two Russians faced sanctions from the United States. Furthermore, Europol disclosed that the operation led to the shutdown of 34 servers worldwide and the closure of over 14,000 accounts across two encrypted email services—Tutanota and ProtonMail—as well as the online storage service Mega.

The dark web site operated by the LockBit ransomware group, previously used by criminals to blackmail victims by showcasing stolen information and countdown timers to pressure for ransom payments, has been taken over by international law enforcement. It now displays leaked information about LockBit itself, including screenshots of the administrative interface, text conversations, and source codes. According to the updated countdown timers on the site, additional details regarding the group’s profits and its associates are scheduled to be released on Friday.

The seized LockBit webpage updated on February 22 shows leaked information about LockBit. Image Provided by S2W to The Readable

LockBit operates as a ransomware criminal group, infiltrating organizations to steal sensitive data which is then used to extort money from the victims. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in 2023, LockBit was responsible for 16% of ransomware incidents in the U.S., impacting almost 1,700 victims since 2020. Abigail Bradshaw, the Head of the Australian Cyber Security Centre (ACSC), described LockBit in that same year as one of “the most prolific and disruptive ransomware variants.”

LockBit has been implicated in several high-profile ransomware attacks, including a significant breach in November of 2023, during which it stole and leaked vast quantities of data from Boeing, one of the largest aerospace companies. Additionally, in January, the United Kingdom’s Royal Mail was targeted by LockBit. After the Royal Mail declined to pay a ransom of 84 million dollars, the group released gigabytes of data on its website. The U.S. unit of the Industrial and Commercial Bank of China (ICBC) also experienced an attack from this notorious group in November.

In June of 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory concerning LockBit. The advisory highlighted that LockBit had targeted organizations of various sizes across numerous critical infrastructure sectors. These sectors include financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. Additionally, the advisory provided detailed technical observations regarding the tools and methods employed by LockBit.

Dov Lerner, the security research lead at Cybersixgill, a cybersecurity firm specializing in threat analysis, commented, “Over the last few years, ransomware groups have evolved from mere nuisances into sophisticated enterprises that have stolen hundreds of millions of dollars and adversely affected businesses and critical infrastructure.” Referring to Tuesday’s announcement, Lerner described it as “a victory for law enforcement efforts and welcome news for any business concerned about the threat of ransomware.”

Sandra Joyce, the Executive Vice President of Mandiant Intelligence at Google Cloud, shared her views on the success of Operation Cronos, stating, “Justice is served. This represents a significant and deserved setback for a malicious entity responsible for financial losses and genuine distress globally. We couldn’t ask for a more effective disruption to ransomware activities. This is the kind of model we hope to see more of moving forward.”

Source: The National Crime Agency of the United Kingdom

Ed Dubrovsky, the Chief Operating Officer of Cypfer, a company specializing in ransomware response, expressed skepticism about the long-term impact of the takedown of LockBit. In a LinkedIn post, Dubrovsky stated, “Time will tell whether LockBit simply folds or returns with a vengeance, potentially abandoning the few so-called rules they had, much like what happened with BlackCat. We should certainly embrace our law enforcement colleagues for securing a significant victory against the world’s largest ransomware group. Nonetheless, the battle is not over, and we must all remain vigilant.”

BlackCat, another ransomware group, experienced law enforcement actions last December similar to those launched against LockBit. Despite these efforts, BlackCat managed to restore their website multiple times. The FBI seized several of BlackCat’s websites and provided victims of the group with decryption tools to enable them to recover their data. In contrast to BlackCat’s situation, the actions against LockBit included actual arrests, and there have been no reports of their website being restored, indicating a potentially more significant impact on their operations.

Graeme Biggar, Director General of the National Crime Agency (NCA), addressed these concerns by emphasizing the ongoing nature of their efforts: “Our work does not stop here. LockBit may attempt to rebuild their criminal enterprise. However, we are aware of their identities and the way they operate. We are tenacious and will persist in our efforts to target this group and anyone associated with them.”

This article was edited by Dain Oh and copyedited by Arthur Gregory Willers.

Hongeun Im is a reporting intern for The Readable. Motivated by her aspirations in cybersecurity and aided by the language skills she honed while living in the United Kingdom, Im aims to write about security issues affecting the Korean Peninsula and lead more people to become interested in cybersecurity. She attends Gwangju Institute of Science and Technology, majoring in Electrical Engineering and Computer Science. Her interest in computer science led her to participate in the World Friends Korea volunteer program, where she taught Python at the Digital Government Center in Laos and at Al-Balqa Applied University in Jordan.