LockBit Infrastructure Disrupted by Global Law Enforcers

Notorious ransomware gang LockBit has been taken down by a global law enforcement operation.

The UK's National Crime Agency (NCA) teamed up with the FBI, Europol and others on “Operation Cronos,” according to a message displayed on LockBit’s leak site.

According to screenshots posted on X (formerly Twitter), the group’s affiliate panel has also been seized by law enforcement, as well as internal data including chat messages, source code and details on victims and extortion payments.

“You can thank Lockbitsupp and their flawed infrastructure for this situation … we may be in touch with you very soon,” reads a message posted by law enforcement to the affiliate panel. Lockbitsupp is the handle of the believed ringleader of the ransomware group.

In a brief statement, an NCA spokesperson confirmed that the agency had led a coordinated takedown of the group’s current infrastructure and added that the situation was “ongoing and developing.”

Security researchers vx-underground claimed that at least 22 Tor sites associated with LockBit had been seized and/or taken down by law enforcement.

Read more on Lockbit: LockBit Remains Top Global Ransomware Threat

It cited the group’s administrator as claiming law enforcement had managed to compromise its infrastructure by exploiting CVE-2023-3824. This is a critical PHP vulnerability which could lead to a stack buffer overflow and potentially memory corruption or remote code execution.

LockBit has dominated the ransomware threat landscape over the past two years, demanding tens of millions of dollars in ransoms from big-name targets including the Royal Mail, chip giant TSMC and the state of California.

A recent report claimed it had listed 275 victims on its leak site during Q4 2023 alone.

However, as William Wright, CEO of Closed Door Security, argued, Operation Cronos is unlikely to lead to any arrests – as most ransomware actors are sheltered in states out of the reach of Western law enforcers.

“The one caveat to this takedown is that it may not spell absolute demise of LockBit. The attackers could resurface under new branding as we have seen with DarkSide to BlackMatter to BlackCat, and many others,” he added.

“Enterprises must therefore continue to protect their networks against ransomware. While law enforcement is making good progress, the battle is not over yet.”

NCA Seizes Encryption Keys, Confirms Arrests

The NCA confirmed the news at 11.30 GMT on Febrary 20, 2024. In addition to the above, it revealed that over the past 12 hours, Operation Cronos investigators seized infrastructure associated with LockBit’s bespoke data exfiltration tool, Stealbit.

It added that 28 LockBit affiliate servers were taken down and two suspected actors were arrested in Poland and Ukraine, with over 200 cryptocurrency accounts frozen.

In the US, the Department of Justice (DoJ) said two LockBit suspects are in custody awaiting trial and it released indictments against a further two – both Russian nationals.

The NCA said it had over 1000 decryption keys and would be contacting UK-based victims in the coming days and weeks to help them recover encrypted data.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners,” said NCA director general, Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”