Image showing the main webpage of the LockBit ransomware gang, now under the control of law enforcement.
Law enforcement agencies from several countries, including the U.K.’s National Crime Agency (NCA), have dealt a significant blow to the notorious LockBit ransomware gang. The operation involved seizing infrastructure and source code, arresting two individuals in Poland and Ukraine, and freezing 200 cryptocurrency accounts associated with the group.
The NCA, along with international partners, infiltrated LockBit's network, taking control of its services in three countries and compromising 28 servers, effectively crippling the gang's criminal activities. This included disrupting servers in the U.S. that hosted their "StealBit" data exfiltration platform.
The NCA emphasized that LockBit's capabilities and credibility have been severely damaged, and they are determined to continue targeting the group and its affiliates. They have taken control of LockBit's primary administration environment and its public-facing leak site on the dark web, where they will now post information exposing LockBit's operations.
Additionally, the NCA has obtained LockBit's source code and intelligence on their activities and associates. The operation also resulted in the seizure of over 1,000 decryption keys, which will be provided to victims of LockBit ransomware attacks.
The U.K. announcement follows reports of the seizure of the gang's website, which now indicates that it is under the control of the NCA, working with international partners.
LockBit has been a target of law enforcement for some time, leading to previous arrests and charges. The recent takedown involved the unsealing of indictments against Russian nationals Artur Sungatov and Ivan Kondratyev, who are accused of deploying LockBit against numerous victims.
The joint background paper released last June by cybersecurity agencies from seven countries highlighted LockBit's significant activity in 2022, with the gang being the most active global ransomware group that year.
The U.S. estimated that LockBit had targeted over 2,000 victims worldwide and received more than US$120 million in ransom payments. Canada estimated that LockBit was responsible for 22 per cent of attributed ransomware incidents in 2022.
While the takedown will have a substantial short-term impact on LockBit's operations, experts warn that the group may resurface under a different name, with current members joining or establishing other gangs. There is a global effort to hunt down ransomware gangs and their leaders, and technical mistakes by these groups can lead to successful takedowns like this one.
There are also implications for victims of LockBit. Law enforcement agencies may share information about data breaches and ransom payments with other national authorities for further investigation. Paying ransoms may violate U.S. sanctions, and GDPR regulations in Europe require reporting data breaches, potentially leading to investigations against companies that paid ransoms to conceal breaches.
