LockBit Ransomware group disrupted by Police

Law enforcement from 10 countries have disrupted the criminal operation of the LockBit ransomware group at every level, severely damaging their capability and credibility.  LockBit is widely recognised as the world’s most prolific and harmful ransomware, causing billions of euros worth of damage.  This followed a complex investigation led by the UK’s National Crime Agency (NCA) in the framework of an international taskforce known as ‘Operation Cronos’, coordinated at the European level by Europol and Eurojust.  A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities.

• The operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This included the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.
• Two LockBit actors were arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities.
• Authorities have frozen more than 200 cryptocurrency accounts linked to the criminal organisation, underscoring the commitment to disrupt the economic incentives driving ransomware attacks.
• The UK’s NCA has  taken control of the technical infrastructure that allows all elements of the LockBit service to operate, as well as their leak site on the dark web, on which they previously hosted the data stolen from victims in ransomware attacks.

Decryption tools available on ‘No More Ransom’

With Europol’s support, the Japanese Police, the NCA and the US Federal Bureau of Investigation (FBI) have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit Ransomware.

These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages. So far, more than 6 million victims across the globe have benefitted from ‘No More Ransom’ which contains over 120 solutions capable of decrypting more than 150 different types of ransomware.

About Lockbit

• LockBit first emerged at the end of 2019, first calling itself ‘ABCD’ ransomware.  Since then, it has grown rapidly and in 2022 it became the most deployed ransomware variant across the world.
• The group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.
• LockBit’s attack presence is seen globally, with hundreds of affiliates recruited to conduct ransomware operations using LockBit tools and infrastructure.  Ransom payments were divided between the LockBit core team and the affiliates, who received on average three-quarters of the ransom payments collected.
• The ransomware group is also infamous for experimenting with new methods for pressuring their victims into paying ransoms.  Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks as an additional layer of pressure.
• The gang’s move to triple extortion was partly influenced by a DDoS attack they themselves experienced, which impeded their ability to publish stolen data.  In response, LockBit enhanced their infrastructure to resist such attacks.

This infrastructure is now under law enforcement control, and more than 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement.  For more information read the Europol Press announcement.

EAST Response

EAST focusses on tackling ransomware and cybercrime through the EAST Expert Group on Payment and Transaction Fraud (EPTF). The next EPTF meeting will be held on 17th April 2024.