Fraud Management & Cybercrime , Ransomware

LockBit Infrastructure Seized by US, UK Police

LockBit Ransomware Operations Is Latest to Fall in Series of Takedowns
LockBit Infrastructure Seized by US, UK Police
LockBit's Tor-based data leak site as of Feb. 19, 2024. (Image: Operation Cronos)

An international law enforcement operation seized the infrastructure of Russian-speaking cybercriminal group LockBit, a prolific ransomware-as-a-service operation, marking the latest in a series of digital takedowns.

See Also: Defend Your Business Against Web-Based Threats

The group's dark web leak site now displays a seizure notice left by British and U.S law enforcement declaring that "Operation Cronos" is responsible.

A U.K. National Crime Agency spokesperson confirmed the seizure of LockBit in an emailed statement on Monday.

"The NCA can confirm that LockBit services have been disrupted as a result of international law enforcement action. This is an ongoing and developing operation."

LockBit is among the largest ransomware-as-a-service operations, emerging in 2019. It depends on other hackers - affiliates - to do the actual hacking, offering them up to 75% of any ransom made with its encryptor. The operation has racked up more than 3,000 known victims, although the actual number is likely much higher.

Malware researcher vx-underground posted on Twitter that affiliates logging onto the operation's administrative panel see a note warning that law enforcement has seized "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more."

"Today is a great day. It's going to be very disruptive to the ransomware ecosystem," said Allan Liska, a principal intelligence analyst with Recorded Future. "It's going to have a material impact on the number of ransomware attacks."

LockBit is one of a string of Russian-speaking ransomware groups whose servers have been seized by law enforcement. Others include Alphv - also known as BlackCat - and Hive (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).

Liska told Information Security Media Group he attributed the uptick in seizures to an international ransomware task force set up by the Biden administration consisting of 37 governments that share intelligence among themselves.

"The information sharing between countries is apparently really good, and everybody who is a part of it is motivated to share whatever intelligence they have," he said.

The seizure is a major setback for the LockBit group. Earlier, some of its affiliates were arrested, and in September 2022 its source code was leaked, apparently by a disgruntled coder. U.S. prosecutors in June arrested suspected affiliate Ruslan Magomedovich Astamirov after charging him with carrying out at least four LockBit ransomware attacks against businesses in the United States, Asia, Europe and Africa.

In 2023, the group found it difficult to stop affiliates from leaving amid apparent operational problems (see: Victim of Its Own Ransomware Success: LockBit Has Problems).

Without arrests of central figures within the operation, Monday's takedown may not be permanent. Other cybercriminal groups have gone through infrastructure seizures only to regroup and rebuild, often under a different name.

LockBit took responsibility for a high-profile November attack of the New York financial services subsidiary of the Industrial and Commercial Bank of China, a ransomware incident that partially disrupted the market in U.S. Treasury investments. In January 2023, it attacked the Royal Mail in the United Kingdom, interrupting international delivery.

The full extent of Operation Cronos is unclear. A representative from the FBI said the bureau will make a formal announcement containing further details.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.