Skip to content

Major International Operation Against Cybercrime and LockBit Ransomware Group


Published:

On February 20, a coordinated effort led by the National Crime Agency (NCA) and FBI, among others, resulted in a significant blow to the LockBit ransomware group. This operation involved the seizure of key infrastructure and the arrest of two individuals associated with the group, marking a substantial disruption to their operations. Find out more in this week’s Cyber Security Insights.

Seizure message posted on LockBit’s darknet site

Figure 1. Seizure message posted on LockBit’s darknet site

Background about the Ransomware Group LockBit

LockBit is a ransomware group based in Russia that was first spotted in September 2019, initially calling itself “ABCD”, changing their name in January 2020. LockBit operates a Ransomware as a Service (RaaS) model, affiliates are recruited to conduct ransomware attacks using Lockbit ransomware tools and infrastructure. Through RaaS, operators typically receive ransoms from victim organizations and distribute them to affiliates, however with LockBit, they assured affiliates received the ransom upfront before sending a cut to the operator. Through this model, the group were able to successfully attract a large number of affiliates.

The attack activity was so intense that in 2022 and 2023, it became the most productive ransomware group with over 1 035 confirmed victims in 2023, more than double the 419 victims reported by CL0P (in second place) and 418 reported by ALPHV (in third place).

To date, more than 2 000 organizations worldwide have been affected by LockBit and have paid more than $120 million in ransom. In Japan, more than 100 organizations have been affected, most notably Tsurugi Municipal Handa Hospital in Tokushima Prefecture in October 2022 and the Nagoya Port Container Terminal in July 2023.

Operation to Seize Infrastructure

The NCA, the US Department of Justice and Europol announced on February 20 that they had conducted a major seizure operation against LockBit. The operation was part of Operation Cronos, a collaboration between the NCA, FBI, Europol and other agencies in 10 countries to investigate LockBit.

Figure 2. Europol News Release

The operation resulted in the seizure of Lockbit’s platform and other critical infrastructure including 34 servers, approximately 1000 decryption keys, more than 14 000 rogue accounts, and the freezing of more than 200 cryptocurrency accounts. In addition, two people were arrested in Poland and Ukraine, and three international arrest warrants and five indictments were issued in France and the United States.

The seized servers contained stolen data from victim organizations that had paid ransoms to LockBit, re-iterating that paying a ransomware group does not result in the deletion of stolen data.

Law enforcement updated Lockbit’s darknet site with a notice of their takeover and in addition created pages to mimic and the original leak site to disseminate information, including press releases, decryption key assistance, and requests to report cyber-attacks (Figure 3). Some of the messages were provocative and directed at LockBit’s alleged ringleader, known as LockBitSupp.

Law enforcement agencies stated investigation into LockBit was ongoing. Japan’s National Police Agency also announced its cooperation in the operation, including providing information and creating a tool to decrypt encrypted files.

Figure 3. LockBit’s leak site updated by law enforcement.

LockBit’s Response to Seizure Operations

Within days of the seizure operations, LockBit launched a new darknet leak site and resumed posting threats to victim organizations.

Figure 4. LockBit’s new darknet leak site. The first post (bottom right) is a link to a message for law enforcement.

The site included messages for law enforcement, LockBit believed the takedown was in response to a compromise of Fulton County, Georgia, US, that had implications for Donald Trump’s court cases and the upcoming US election. Lockbit also stated a PHP flaw led to the seizure of vulnerable sites by the investigators, additionally they also claim that the decryption keys obtained were only a fraction of the keys issued by LockBit and would continue to launch ransomware attacks in an attempt to provoke law enforcement.

Summary

In this operation, investigators successfully seized servers and accounts that were used in many ransomware attacks, and so far appear to have succeeded in reducing LockBit’s abilities despite the presumed leader’s new leak site and messages. Through the accumulation of such operations and co-operation between multiple agencies worldwide it is hoped that it will lead to the arrest of key individuals of interest and ultimately major limitations on LockBit’s capabilities.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:


Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.