The LockBit ransomware gang has suffered a major blow, after an international group of law enforcement agencies seized some of its infrastructure, source code, arrested two people in Poland and Ukraine and froze 200 cryptocurrency accounts.
The U.K.’s National Crime Agency (NCA) said Tuesday morning that, after infiltrating the group’s network, it took control of LockBit’s services in three countries — including 28 servers — compromising their entire criminal enterprise.
As part of the international operation, several servers in the U.S. used by LockBit members were disrupted. Those servers hosted what the gang called its “StealBit” data exfiltration platform.
“As of today, LockBit are locked out,” said the NCA. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
LockBit may seek to rebuild its business, the NCA admitted. “However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
“The NCA has taken control of LockBit’s primary administration environment,” it said in a statement, “which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.
“The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organizations throughout the world.”
Some of the data on LockBit’s servers had been stolen from organizations that had paid a ransom with the promise the gang would erase the information, proof that even when a ransom is paid it does not guarantee stolen data will be deleted.
There was also good news for victim firms: The action included the seizure of over 1,000 decryption keys, which police will be passing on to those hit by the LockBit strain of ransomware.
The U.K. announcement follows news reports by the Reuters news agency Monday night about the seizure of the gang’s website.
The site now says, “This site is now under the control of the National Crime Agency of the UK, working in close co-operation with the FBI and the international law enforcement task force, Operation Cronos.”
Participants in the action included Canada, France, Japan, Switzerland, Germany, Australia, Sweden, the Netherlands and Finland.
Reuters quotes vx-underground, a cybersecurity research website, saying LockBit has posted messages in Russian and shared on Tox, an encrypted messaging app, that the FBI hit its servers that run on the programming language PHP. The statement, which Reuters could not verify independently, added that the gang says it has backup servers without PHP that “are not touched”.
“This is likely the most significant disruption of a ransomware operation to date,” Brett Callow, a Canadian-based ransomware threat analyst at Emsisoft, said to IT World Canada.
“Lockbit is one of the longest-running cybercrime operations and has demonstrated cockroach-like durability. This disruption sends a clear message that no group is bulletproof and its affiliates and other associates will be wondering whether law enforcement has captured information that points to them. There’s more risk than ever. Cybercriminals know they can no longer operate with the impunity they once had.
LockBit has been targeted for some time by law enforcement agencies. That led to the arrest in November, 2022 of a man in Bradford, Ont., for his alleged role in the gang. Mikhail Vasiliev pleaded guilty on February 8th to multiple counts involving cyber-extortion, mischief and weapons charges relating to acts in Canada, including ransomware attacks on Toronto’s Hospital for Sick Children and the Indigo book chain.
The U.S. wants to extradite him to face charges there.
Separately, as part of the LockBit takedown announced Tuesday, the U.S. Justice Department unsealed an indictment in New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev — also known online as Bassterlord — with deploying LockBit against numerous victims in several nations. Additional criminal charges against Kondratyev were unsealed in California related to his deployment in 2020 of ransomware against a victim in that state. With the indictment unsealed today, a total of five alleged LockBit members — including Vasiliev in Canada — have been charged by the U.S. for their participation in the LockBit conspiracy.
Last June, cybersecurity agencies from seven countries including Canada and the U.S. released a joint background paper on the LockBit gang.
Measured by the number of victims claimed on the LockBit data leak site, in 2022, the gang was the most active global ransomware group that year.
When that report was issued seven months ago, the U.S. estimated victim organizations in that country alone had paid the gang US$91 million in ransoms since LockBit activity was first seen in January, 2020. The U.S. estimated 16 per cent of reported ransomware attacks on American government entities in the country — including schools and police forces — were identified as LockBit.
In a statement today, the U.S. said LockBit has targeted over 2,000 victims worldwide and received more than US$120 million in ransom payments.
Canada estimated LockBit was responsible for 22 per cent of attributed ransomware incidents in 2022.
In the short term, the law enforcement take down of LockBit will have a substantial impact on their operations, said Yossi Rachman, senior director of research at Semperis. In time, he added, they will resurface, likely under a different name, with current members likely joining or establishing other successful gangs. “While gangs such as LockBit boast daily about the names of their victims and have had the upper hand in the ransomware scourge, make no mistake that there is a global hunt underway for ransomware gangs and ring leaders. The technical people in these rings are still prone to mistakes which lead to takedowns like this one.”
Ilia Kolochenko, CEO and chief architect at ImmuniWeb, wondered if law enforcement agencies will pass the information about victims, data breaches and paid (or non-paid) ransoms to other national authorities to probe the victims of LockBit. He noted that the U.S. Office of Foreign Assets Control says paying ransoms may violate U.S. sanctions. It now has a good opportunity to review all payments made to LockBit, he said. Likewise, national data processing agreements under Europe’s General Data Protection Regulation (GDPR) may also want to compare a list of data breaches reported by victims and the breaches for which a ransom was paid to LockBit, he said. This may lead to investigations against breached companies who silently paid a ransom to conceal a data breach, without reporting it anywhere as required by law, Kolochenko said.
