UPDATED 16:14 EDT / FEBRUARY 20 2024


Authorities arrest two LockBit members, disrupt ransomware group’s infrastructure

An international law enforcement task force has arrested two LockBit members, disrupted the ransomware-as-a-service gang’s infrastructure and released a file decryption tool for victims.

The task force, which included authorities from 11 countries, disclosed the operation today. It was carried out as part of an investigation that the European Union’s Eurojust agency had launched in early 2022 at the request of French officials. The operation itself reportedly took place in recent days.

The disruption of LockBit first came to light on Monday, when the law enforcement task force seized a website the group had used to leak victims’ data. A notice on the website detailed that authorities were planning to release more information about the operation today. That disclosure arrived early this morning in the form of announcements from three of the task force’s participants: The U.K.’s National Crime Agency, the U.S. Justice Department and Europol.

Police have arrested two LockBit members in Poland and Ukraine as part of the operation. In conjunction, French and U.S. judicial authorities issued international arrest warrants and indictments for a number of other individuals connected to the group. Two of the indicted individuals were slapped with sanctions by the U.S. Department of Treasury.

The task force, which is known as Operation Cronos, has also disrupted the infrastructure LockBit used to support ransomware attacks. Europol said that “the months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise.” The disrupted assets included 34 servers hosted in more than a half dozen countries, as well as about 11,000 malicious domains.

LockBit didn’t carry out ransomware attacks directly. Instead, it provided malware and related hacking resources to other cybercrime groups dubbed affiliates. Those affiliates used LockBit’s software to carry out cyberattacks and paid the group a percentage of the collected ransom payments.

The FBI said today that the group and its affiliates have collected more than $120 million in ransomware payments from over 2,000 victims. At one point, LockBit was ranked as the world’s most active ransomware group. Bank of America Corp., Boeing Co. and the U.K.’s Royal Mail Group Ltd are among the organizations the group targeted over the years.

The LockBit infrastructure assets that law enforcement have seized include the panel the ransomware group used to interact with its affiliates. That panel now displays a notice informing affiliates that authorities possess detailed data about their activities. “We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the U.K., the FBI, Europol and the Operation Cronos Law Enforcement Task Force,” reads the note.

Alongside information about LockBit affiliates, authorities have obtained other data assets from the group’s network including over 1,000 decryption keys. Officials used those keys to develop a file decryption tool for ransomware victims.

LockBit is the latest in a series of hacking groups to have been disrupted by law enforcement in recent months. Previously, an FBI-led task force shut down a number of malicious websites used by ALPHV, a prolific ransomware-as-service gang. A group of law enforcement agencies earlier carried out a similar operation against another ransomware group known as Hive. 

Image: Unsplash

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy