UK, US, and EU law enforcement disrupt ransomware gang LockBit’s operations

Ransomware gang LockBit’s operations have been disrupted by a combined law enforcement takedown, claim the US, UK, and EU.

The US and UK authorities announced the takedown with a notice on the gang’s extortion site that read: “The site is now under control of law enforcement.”

LockBit is a ransomware gang that recruits worldwide to hack organisations, lock them out of their IT infrastructure, steal data, and demand ransom in order for their information to be returned.

Its most prolific attacks include firms as big as Boeing, the Royal Mail, the Ministry of Defence, and the Bank of America.

“LockBit has long been a scourge to businesses, government agencies, and security professionals,” explains Andy Kays, CEO of cyber security firm Socura. “It is arguably the most active ransomware group ever, whose attacks are both devastating and indiscriminate.”

According to cyber security firm WithSecure, LockBit was responsible for almost a fifth of all ransomware breaches last year, and a quarter in this year already.

Who is LockBit?

As part of ‘Operation Cronos’ the takedown saw Britain’s National Crime Agency partner with the US Federal Bureau of Investigation (FBI), Europol, and a coalition of international police agencies to interfere with LockBit’s operations.

An NCA spokesperson and a US Department of Justice spokesperson confirmed that they had disrupted the gang and operations are “ongoing and developing”, according to Reuters.

At 11:30 GMT on Tuesday 20^th of February, Operation Cronos changed the takedown notice to a site displaying multiple screenshots of LockBit’s backend, announcements of the arrests of an affiliate in Poland and an affiliate in Ukraine, and decrypt and recovery tool support.

The seized site will be shut down in four days, according to information posted there, with account closures and affiliate infrastructure expected to be taken down in the next day, and sanctions in the US  to be revealed over the course of today.

As of writing, Cronos has taken down 14,000 ‘rogue accounts’, 200 cryptocurrency accounts linked to LockBit – primarily used to take ransom that is paid, and 34 servers across the world.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement,” wrote Europol in a blog post. “This data will be used to support ongoing international operation activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets.”

“A staggered release of data on LockBit’s own leak site is not only extremely embarrassing for LockBit, but also may suggest they themselves do not know the extent of the action taken,” says Tim West, director, threat intelligence & outreach at WithSecure.

Insights from security

“Ransomware groups often leverage public-facing vulnerabilities to infect their victims with ransomware. This time Operation Cronos gave LockBit operators a taste of their own medicine,” said security researcher at Picus Security, Huseyin Can Yuceel.

According to LockBit admins, the FBI was able to exploit a vulnerability in the gang’s public-facing servers and gain access to LockBit source code, internal chat, victims’ details, and stolen data.

“Although the LockBit group claims to have untouched backup servers, it is unclear whether they will be back online,” Yuceel adds.

Socura’s CEO, Kays, added: “LockBit’s takedown required the dedicated action of multiple countries and government agencies, which highlights the scale, importance and complexity of the task.”

Kays adds that he expects the agencies will have only acted with certainty that “they could hit them hard.”

“However, the group still maintains that they have backup servers. At this stage, it’s always extremely difficult to know if a campaign like this will put a group out of action for good,” he says. “We’ve seen time and time again, that the same individuals can re-emerge and re-group.”

Most recently, the FBI “seized” ransomware gang, BlackCat’s, website in partnership with international law enforcement agencies last December.

However, swiftly after the news broke, BlackCat announced it had “unseized” the site with the statement: “Because of [the FBI’s] actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the CIS – you can now block hospitals, nuclear power plants, anything, anywhere.”

“One thing we do know is the collective of law enforcement agencies will certainly have carefully weighed short-term and long-term impact opportunity to ensure maximum disruption and impose maximum cost on LockBit,” says WithSecure’s West. “For this reason, we celebrate what would no doubt have been a complex and difficult operation and offer congratulations to those involved.”