Fraud Management & Cybercrime , Ransomware
LockBit Infrastructure Seized by US, UK Police
LockBit Ransomware Operations Is Latest to Fall in Series of TakedownsAn international law enforcement operation seized the infrastructure of Russian-speaking cybercriminal group LockBit, a prolific ransomware-as-a-service operation, marking the latest in a series of digital takedowns.
See Also: Stopping Business Email Compromise and Ransomware Attacks with Human-centric Security
The group's dark web leak site now displays a seizure notice left by British and U.S law enforcement declaring that "Operation Cronos" is responsible.
A U.K. National Crime Agency spokesperson confirmed the seizure of LockBit in an emailed statement on Monday.
"The NCA can confirm that LockBit services have been disrupted as a result of international law enforcement action. This is an ongoing and developing operation."
LockBit is among the largest ransomware-as-a-service operations, emerging in 2019. It depends on other hackers - affiliates - to do the actual hacking, offering them up to 75% of any ransom made with its encryptor. The operation has racked up more than 3,000 known victims, although the actual number is likely much higher.
Malware researcher vx-underground posted on Twitter that affiliates logging onto the operation's administrative panel see a note warning that law enforcement has seized "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more."
"Today is a great day. It's going to be very disruptive to the ransomware ecosystem," said Allan Liska, a principal intelligence analyst with Recorded Future. "It's going to have a material impact on the number of ransomware attacks."
LockBit is one of a string of Russian-speaking ransomware groups whose servers have been seized by law enforcement. Others include Alphv - also known as BlackCat - and Hive (see: FBI Seizes Hive Ransomware Servers in Multinational Takedown).
Liska told Information Security Media Group he attributed the uptick in seizures to an international ransomware task force set up by the Biden administration consisting of 37 governments that share intelligence among themselves.
"The information sharing between countries is apparently really good, and everybody who is a part of it is motivated to share whatever intelligence they have," he said.
The seizure is a major setback for the LockBit group. Earlier, some of its affiliates were arrested, and in September 2022 its source code was leaked, apparently by a disgruntled coder. U.S. prosecutors in June arrested suspected affiliate Ruslan Magomedovich Astamirov after charging him with carrying out at least four LockBit ransomware attacks against businesses in the United States, Asia, Europe and Africa.
In 2023, the group found it difficult to stop affiliates from leaving amid apparent operational problems (see: Victim of Its Own Ransomware Success: LockBit Has Problems).
Without arrests of central figures within the operation, Monday's takedown may not be permanent. Other cybercriminal groups have gone through infrastructure seizures only to regroup and rebuild, often under a different name.
LockBit took responsibility for a high-profile November attack of the New York financial services subsidiary of the Industrial and Commercial Bank of China, a ransomware incident that partially disrupted the market in U.S. Treasury investments. In January 2023, it attacked the Royal Mail in the United Kingdom, interrupting international delivery.
The full extent of Operation Cronos is unclear. A representative from the FBI said the bureau will make a formal announcement containing further details.