20-2-2024 (LONDON) Lockbit, a notorious cybercrime gang known for ransom attacks on organizations, has faced disruption in an unusual international law enforcement operation, as announced by US and UK authorities on Monday.
The operation, led by Britain’s National Crime Agency (NCA), the US Federal Bureau of Investigation (FBI), Europol, and a coalition of global law enforcement agencies, saw the takeover of Lockbit’s extortion website. A notice posted on the site declared, “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos.'”
Spokespersons from the NCA and the US Department of Justice confirmed the disruption, emphasizing that the operation is ongoing and evolving.
Lockbit, deemed the world’s top ransomware threat, has targeted over 1,700 organizations across various sectors in the United States, including financial services, food, education, transportation, and government departments.
A Lockbit representative did not respond to Reuters’ messages but indicated on an encrypted messaging app that the gang’s backup servers remained unaffected. The FBI has not yet provided comments on the situation.
International police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland, and Germany were also involved in the operation against Lockbit and its affiliates, which have targeted some of the world’s largest organizations, extorting money by stealing and threatening to leak sensitive data.
Lockbit operates as a criminal enterprise, recruiting affiliates to carry out digital extortion attacks. The group, often referred to as the “Walmart of ransomware groups,” runs its operations with a business-like approach, making it a formidable player in the cybercrime landscape.
The cybercriminals were first identified in 2020, and while their software was initially found on Russian-language cybercrime forums, Lockbit’s base remains unconfirmed. The group, not aligning itself with any government, claimed to be located in the Netherlands, maintaining an apolitical stance and expressing a sole interest in financial gains.
Lockbit gained notoriety in November 2023 when it exposed internal data from Boeing, a leading defense and space contractor. Earlier in 2023, the group severely disrupted Britain’s Royal Mail through a cyberattack.
According to cybersecurity research site vx-underground, Lockbit, in a statement shared on encrypted app Tox, claimed that the FBI targeted its PHP-run servers, while asserting the existence of untouched backup servers without PHP.
Screenshots shared on X (formerly Twitter) by vx-underground depicted the control panel used by Lockbit’s affiliates replaced with a message from law enforcement, indicating possession of source code, victim details, extortion amounts, stolen data, and chats. The message hinted at potential communication with the hackers in the near future.
Lockbit’s website, which previously displayed an expanding gallery of victim organizations, updated daily with countdowns to ransom deadlines, now features a countdown set by law enforcement agencies. The post prompts a return for more information at 11:30 GMT on Tuesday, 20th Feb.
Don Smith, Vice President of Secureworks, a Dell Technologies subsidiary, highlighted the significance of the takedown, stating that Lockbit held a substantial 25% share of the ransomware market, surpassing competitors.
