LockBit: How an international operation seized control of ‘the world’s most harmful cybercrime group’

An international task force of law-enforcement agencies from 10 countries, dubbed Operation Cronos, has disrupted the operations of the world’s most prolific ransomware group LockBit, responsible for high-profile cyber attacks on organizations across the globe.

In what Europol describes as a “significant breakthrough in the fight against cybercrime”, LockBit’s technical infrastructure and its public-facing leak site on the dark web was seized after a months-long operation.

On 19 February, Operation Cronos posted a message on the site that read:

“This site is now under the control of the National Crime Agency (NCA) of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.

“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”

On 20 February, the NCA published details of the operation – and replaced content on the LockBit website, which was used to host stolen data from victims, with an exposé on LockBit’s operations and capabilities, including decryption keys, news of two arrests and a $10 million reward for information on ‘LockBitSupp’, the gang’s alleged ringleader.

NCA Director General Graeme Biggar said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

LockBit has been operating since 2019, when it first called itself ‘ABCD’ ransomware, targeting thousands of victims around the world with ransomware attacks that have cost billions of dollars in terms of both ransom payments and recovery costs.

A ransomware attack is one where cybercriminals hack into your device, use malicious software (malware) to encrypt and steal information, preventing you from accessing it, and then threaten to leak that data unless you pay a ransom in cryptocurrency.

LockBit essentially offered ransomware services to its global network of hackers or ‘affiliates’, giving them the malware and platform to carry out these attacks and collect ransoms from thousands of victims globally.

Among the group’s most prominent victims were the UK’s Royal Mail, aeroplane maker Boeing, China’s biggest bank ICBC and law firm Allen & Overy.

In the US alone, around 1,700 attacks have been attributed to LockBit since 2020, including governments at city and county level, emergency services and schools.

The task force seized LockBit’s bespoke data exfiltration tool, Stealbit, which was based in three countries and used to steal data, as well as 28 servers belonging to the group’s affiliates, said the NCA.

Meanwhile, the EU’s law-enforcement cooperation organization, Europol, coordinated the arrest of two LockBit members in Poland and Ukraine and froze 200 cryptocurrency accounts linked to the group.

In the US, indictment charges against Russian nationals Artur Sungatov and Ivan Kondratyev, aka ‘Bassterlord’, for using LockBit against businesses globally, were unsealed by the Department of Justice.

Operation Cronos has also obtained more than 1,000 decryption keys, which can help victims recover their data.

The NCA’s Biggar said: “Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

Cyber insecurity is the fourth biggest risk facing the world in the coming two years, according to the World Economic Forum’s Global Risks Report 2024, published in January. Moreover, Chainalysis reported this month that in 2023, ransomware payments globally exceeded $1 billion for the first time.

Yet there are steps businesses can take to protect themselves. Europol, for instance, regularly updates its tips to prevent ransomware infecting electronic devices, with a simple list of dos and don’ts and advice on what to do should a device become infected.

In addition, since 2020, the World Economic Forum's Partnership Against Cybercrime has brought experts from the private sector and law enforcement together to develop recommendations that enhance public-private collaboration to counter cybercrime. Following on from these recommendations, in January 2023, the Forum launched the Cybercrime Atlas initiative to map and better understand the cybercriminal ecosystem.

The initiative provides a platform for cybercrime investigators to collaborate and generate new insights into cybercriminal networks using open-source research. The Cybercrime Atlas community is made up of organizations who have a key role in the fight against cybercrime and can use actionable findings from Cybercrime Atlas research to systematically disrupt cybercrime.