Global taskforce cripples world's most notorious ransomware gang

A Russia-based ransomware group, LockBit, burst onto the scene in 2019. Its notorious Ransomware-as-a-Service (RaaS) model involves a core team of developers licensing their malware to a network of affiliates. These affiliates launch attacks and split ransom profits with the main LockBit group. Victims are squeezed with ruthless efficiency through a combination of data encryption, the threat of data leaks, and overwhelming DDoS attacks.

?? Europol & law enforcement from 10 countries disrupt world’s biggest ransomware operation.

?? LockBit, seen as the world’s most prolific and harmful ransomware, caused billions of euros worth of damage.

More information ??https://t.co/EpHLmhg2C2 pic.twitter.com/Wywzjvm0CP

— Europol (@Europol) February 20, 2024

According to official sources, the most active ransomware groups in the world have targeted over 2,000 victims, received over $120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars.

Under the banner of 'Operation Cronos,' spearheaded by the U.K.'s National Crime Agency and coordinated by Europol and Eurojust, international law enforcement agencies disrupted LockBit's operations by seizing multiple public-facing websites and servers used by LockBit administrators. The move disrupted the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data, with cooperation from the Justice Department, Federal Bureau of Investigation (FBI), and other international partners.

Months-long investigation yields decisive takedown

The extensive operation led to the infiltration of LockBit's primary platform and other essential elements of its criminal infrastructure. Law enforcement agencies successfully took down 34 servers in countries including the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.

Two major LockBit actors were apprehended in Poland and Ukraine at the request of French authorities. International law enforcement also issued five indictments and three international arrest warrants in cooperation with French and U.S. officials.

To hamstring LockBit's financial apparatus, authorities seized over 200 cryptocurrency wallets linked to the ransomware group.

Hacking the hackers

The U.K.'s National Crime Agency has seized control of the technical infrastructure underpinning LockBit, including their infamous dark web leak site. Law enforcement agencies are analyzing a massive trove of data obtained during the investigation, which will assist in ongoing worldwide operations targeting LockBit's leadership, developers, affiliates, and infrastructure.

"This NCA-led investigation is a ground-breaking disruption of the world's most harmful cybercrime group," declared Graeme Biggar, Director General of the National Crime Agency. "Through our close collaboration, we have hacked the hackers, ... seized their source code, and obtained keys that will help victims decrypt their systems... LockBit may seek to rebuild, but we know who they are and how they operate. We will not stop in our efforts to target this group and anyone associated with them."

"For years, LockBit associates have repeatedly deployed these kinds of attacks again and again across the United States and worldwide. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation," said Attorney General Merrick B. Garland in a US DOJ press release. "And we are going a step further — we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last."