A coalition of international law enforcement agencies, including the U.S. Federal Bureau of Investigation and the U.K.’s National Crime Agency, have disrupted the operations of the notorious LockBit ransomware gang.
LockBit’s dark web leak site — where the group publicly lists its victims and threatens to leak their stolen data unless a ransom demand is paid — was replaced with a law enforcement notice on Monday.
Since it first emerged as a ransomware operation in late 2019, LockBit has become one of the world’s most prolific cybercrime gangs, targeting victims around the world and netting millions of dollars in extorted ransom payments.
Hattie Hafenrichter, a spokesperson for the U.K.’s National Crime Agency, confirmed to TechCrunch that “LockBit services have been disrupted as a result of international law enforcement action.” A message on the downed leak site confirmed that the site is “now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
At the time of writing, the site now hosts a series of information exposing LockBit’s capability and operations, including back-end leaks and details on LockBit’s alleged ringleader, known as LockBitSupp.
Operation Chronos is a task force headed by the NCA and coordinated in Europe by law enforcement agencies Europol and Eurojust. The ransomware takedown operation also involved other international police organizations from Australia, Canada, France, Finland, Germany, the Netherlands, Japan, Sweden, Switzerland and the United States.
In its announcement on Tuesday, Europol confirmed that the months-long operation has “resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise.” This includes the takedown of 34 servers across Europe, the U.K. and the United States, along with the seizure of more than 200 cryptocurrency wallets.
It’s not yet known how much cryptocurrency was stored in these wallets, or how much the authorities seized.
Separately, the U.S. Justice Department unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev, for their alleged involvement in launching LockBit cyberattacks.
The DOJ previously charged three other alleged LockBit ransomware members: Mikhail Vasiliev, a dual Russia-Canadian national, is currently in custody in Canada awaiting U.S. extradition; and Russian national Ruslan Magomedovich Astamirov is in custody in the U.S. awaiting trial. A third suspected member, Mikhail Pavlovich Matveev, aka Wazawaka, is believed to live in the Russian enclave of Kaliningrad and remains subject to a $10 million U.S. government bounty for information that leads to his arrest.
Two alleged LockBit actors have also been arrested in Poland and Ukraine at the request of the French judicial authorities.
Prior to Monday’s takedown, LockBit claimed on its dark web leak site that it was “located in the Netherlands, completely apolitical and only interested in money.”
As part of Operation Cronos, law enforcement agencies say they have obtained decryption keys from LockBit’s seized infrastructure to help the ransomware gang’s victims regain access to their data.
Allan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, tells TechCrunch that this action “is absolutely the end of the LockBit operation in its current form.”
“While the main spokesperson for the LockBit operation, LockBitSupp, won’t be arrested, his operation is crippled, and his infrastructure is completely exposed. Based on past takedowns like this, this will have serious impact on his reputation and his ability to attract new affiliates in the future,” Liska said.
According to the DOJ, LockBit has been used in approximately 2,000 ransomware attacks against victim systems in the U.S. and worldwide, and has received more than $120 million in ransom payments.
Matt Hull, head of threat Intelligence at U.K.-based cybersecurity firm NCC Group, told TechCrunch that the company recorded more than a thousand victims of LockBit during 2023 alone, or “22% of all ransomware victims we identified for the whole year.”
LockBit and its affiliates have claimed responsibility for hacking some of the world’s largest organizations. The group last year claimed responsibility for attacks against aerospace giant Boeing, chipmaker TSMC and U.K. postal giant Royal Mail. In recent months, LockBit has claimed responsibility for a ransomware attack on the U.S. state of Georgia’s Fulton County, which has disrupted key county services for weeks, and for cyberattacks targeting India’s state-owned aerospace research lab and one of India’s largest financial giants.
Monday’s takedown is the latest in a series of law enforcement actions targeting ransomware gangs. In December, a group of international law enforcement agencies announced they had seized the dark web leak site of the notorious ransomware gang known as ALPHV, or BlackCat, which claimed a number of high-profile victims, including news-sharing site Reddit, healthcare company Norton and London’s Barts Health NHS Trust.
Read more on TechCrunch:
Why are ransomware gangs making so much money?Why ransomware victims can’t stop paying off hackersDo government sanctions against ransomware groups work?Why extortion is the new ransomware threat
US sanctions LockBit members after ransomware takedown