LAW ENFORCEMENT DISRUPTS LOCKBIT RANSOMWARE
The governments of the United States and the UK have apprehended two key members of the LockBit Ransomware Group and assumed control over LockBit websites and infrastructure. This operation is part of a broader crackdown on the group.
Operation Cronos, a global initiative targeting the LockBit ransomware group, initiated investigations in 2022 and this development is considered a major milestone in the ongoing effort. Law enforcement has seized multiple public-facing websites used by LockBit administrators to connect to their organization's infrastructure and taken control of LockBit admin servers. As part of the operation, they have also obtained keys from seized infrastructure that could assist LockBit's victims in decrypting their captured systems and regaining access to their data.
LockBit is a notorious ransomware group recently reported to be responsible for 25% of data leaks to ransomware leak sites, according to the Talos Intelligence 2023 Year in Review Report. The LockBit Group, which also sells its ransomware in a "Ransomware as a Service" model, employs a bespoke data exfiltration tool called 'Stealbit' and their ransomware has been described as the "fastest encryption software all over the world" on underground forums. The group utilizes a 'Double Extortion' model, encrypting victims' files and systems while simultaneously threatening to release stolen data to the internet.
According to the US Attorney General, Merrick B. Garland, "Over the past few days, the Justice Department has collaborated with our partners in the United Kingdom and around the world to dismantle LockBit, one of the most prolific ransomware variants. Together, we dismantled and seized the infrastructure that the LockBit ransomware group used to target over 2000 victims and extort more than $120 million in ransom payments."
In a similar statement released by the UK's National Crime Agency, "The NCA has taken control of LockBit’s primary administration environment, enabling affiliates to build and carry out attacks. Additionally, the group’s public-facing leak site on the dark web, where they previously hosted and threatened to publish data stolen from victims, is now under NCA control. This site will host a series of information exposing LockBit’s capabilities and operations, with the NCA posting daily updates throughout the week. The agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have collaborated with them to harm organizations worldwide."
More to follow…