After joint UK-US-Europe operation, four arrested; LockBit victims aided in data recovery.
Law enforcement, specifically the UK’s National Crime Agency, now possesses the entire “command and control” infrastructure of the LockBit ransomware group, having seized the criminal gang’s website in a coordinated international operation.
The retrieved data from the hackers has resulted in four arrests, with authorities pledging to utilize the technology to unveil the group’s operations globally.
The collaborative effort involving the NCA, FBI, Europol, and international police agencies was disclosed through a post on LockBit’s website. The post stated, “This site is now under the control of the UK’s National Crime Agency, collaborating closely with the FBI and the international law enforcement taskforce Operation Cronos.”
According to Europol, authorities have apprehended two LockBit actors in Poland and Ukraine, with an additional two affiliates arrested and charged in the US. Furthermore, two Russian nationals remain at large. Over 200 cryptocurrency accounts linked to the criminal organization have been frozen.
The disruption to LockBit’s operations surpasses initial disclosures. Besides acquiring control of the public-facing website, the NCA also confiscated LockBit’s primary administrative environment—the infrastructure pivotal for managing and deploying the technology used to extort businesses and individuals worldwide.
Graeme Biggar, the NCA’s director-general, stated, “Through our close collaboration, we have disrupted the hackers by gaining control of their infrastructure, seizing their source code, and obtaining decryption keys to aid victims.”
Today, LockBit is effectively incapacitated. We have significantly hindered the group’s capability and, notably, its credibility, which heavily relied on secrecy and anonymity.
The organization pioneered the “ransomware as a service” model, outsourcing target selection and attacks to a network of semi-independent “affiliates.” It provides them with tools and infrastructure, earning commissions from ransoms in return.
In addition to ransomware, which commonly encrypts data on compromised devices and demands payment for decryption keys, LockBit also duplicated stolen data. The group threatened to release this information if the ransom was not paid, claiming they would delete the copies upon receiving payment.
However, the NCA revealed this promise to be untrue. Some of the data found on LockBit’s systems belonged to victims who had already paid the ransom.
Home Secretary James Cleverly remarked, “The NCA’s unparalleled expertise has dealt a significant blow to the individuals responsible for the world’s most prolific ransomware strain.”
The operators of LockBit exhibit sophistication and strong organization, yet they have been unable to elude UK law enforcement and our global collaborators.
Furthermore, the “hack back” initiative retrieved over 1,000 decryption keys intended for LockBit attack victims. Authorities will reach out to these individuals to assist in the restoration of their encrypted data.
