Fraud Management & Cybercrime
,
Ransomware
LockBit Ransomware Operations Is Latest to Fall in Series of Takedowns
An international law enforcement operation seized the infrastructure of Russian-speaking cybercriminal group LockBit, a prolific ransomware-as-a-service operation, marking the latest in a series of digital takedowns.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
The group’s dark web leak site now displays a seizure notice left by British and U.S law enforcement declaring that “Operation Cronos” is responsible.
A U.K. National Crime Agency spokesperson confirmed the LockBit seizure in an emailed statement on Monday.
“The NCA can confirm that LockBit services have been disrupted as a result of international law enforcement action. This is an ongoing and developing operation.”
LockBit is among the largest ransomware-as-a-service operations, emerging in 2019. It depends on other hackers – affiliates – to do the actual hacking, offering them up to 75% of any ransom made with its encryptor. The operation has racked up more than 3,000 known victims, although the actual number is likely much higher.
Malware researcher vx-underground posted on Twitter that affiliates logging onto the operation’s administrative panel see a note warning that law enforcement has seized “source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more.”
“Today is a great day, it’s going to be very disruptive to the ransomware ecosystem,” said Allan Liska, a principal intelligence analyst with Recorded Future. “It’s going to have a material impact on the number of ransomware attacks.”
LockBit is one of a string of Russian-speaking ransomware groups to have their servers seized by law enforcement. Others include Alphv – also known as BlackCat – and Hive (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
Liska told Information Security Media Group he attributed the uptick in seizures to an international ransomware task force set up by the Biden administration consisting of 37 governments that share intelligence among themselves.
“The information sharing between countries is apparently really good, and everybody a part of it is motivated to share whatever intelligence they have,” he said.
The seizure marks a major setback for the LockBit group, which earlier saw some affiliates arrested and the September 2022 leak of its source code, apparently by a disgruntled coder. U.S. prosecutors in June arrested suspected affiliate Ruslan Magomedovich Astamirov after charging him with carrying out at least four LockBit ransomware attacks against businesses in the United States, Asia, Europe and Africa.
In 2023, the group found difficulty in stopping affiliates from leaving amid apparent operational problems (see: Victim of Its Own Ransomware Success: LockBit Has Problems).
Without arrests of central figures within the operation, Monday’s takedown may not be permanent. Other cybercriminal groups have gone through infrastructure seizures only for them to regroup and rebuild, often under a different name.
LockBit took responsibility for a high-profile November attack of the New York financial services subsidiary of the Industrial and Commercial Bank of China, a ransomware incident that partially disrupted the market in U.S. Treasury investments. In January 2023, it attacked the royal Mail in the United Kingdom, interrupting international delivery.
The full extent of Operation Cronos is unclear. A representative from the FBI said the bureau will make a formal announcement with further details.