For the past four years, the LockBit ransomware group has been on an unrelenting rampage, hacking into thousands of businesses, schools, medical facilities, and governments around the world—and making millions in the process. A children’s hospital, Boeing, the UK’s Royal Mail, and sandwich chain Subway have all been recent victims.
But LockBit’s hacking campaign has come to a juddering halt. A sweeping law enforcement operation, led by police at the UK’s National Crime Agency (NCA) and involving investigators from 10 forces around the world, has infiltrated the ransomware group and taken its systems offline.
Graeme Biggar, the director general of the NCA, says the group has been “fundamentally disrupted.” The law enforcement operation, called Operation Cronos, has taken control of LockBit's infrastructure and administration system, seized its dark-web leak site, accessed its source code, seized around 11,000 domains and servers, and obtained details of the group's members. “As of today, LockBit is effectively redundant,” Biggar said at a press conference in London, appearing with law enforcement officials from the FBI and Europol. “We have hacked the hackers,” he says.
The action is one of the largest and potentially most significant ever taken against a cybercrime group. Biggar says the law enforcement officials consider LockBit, which is global in nature, to have been the “most prolific and harmful” ransomware group that has been active in recent years. It was responsible for 25 percent of attacks in the past year. “LockBit ransomware has caused losses of billions,” Biggar says of the overall costs of attacks and recovery.
In addition to the seizing of technical infrastructure, the law enforcement operations around LockBit also include arrests in Poland, Ukraine, and the United States, as well as sanctions for two alleged members of the group who are based in Russia. The group has members spread around the world, the officials said.
Nicole Argentieri, acting assistant attorney general at the US Department of Justice, says LockBit has received more than $120 million in ransomware payments, and that the action announced against the group is just the start of the clampdowns.
The law enforcement action against LockBit was first revealed when its ransomware website dropped offline on February 19 and was replaced by a holding page saying it had been seized by police. The LockBit group, which debuted as “ABCD” before changing its name, first appeared at the end of 2019. Since then, LockBit has rapidly attacked businesses and grown its name recognition within the cybercrime ecosystem. “LockBit has been a thorn in the side of businesses and governments for years, with well over 3,000 publicly known victims, and [has been] seemingly untouchable,” says Allan Liska, an analyst specializing in ransomware for cybersecurity firm Recorded Future. Lockbit’s long roster of victims include various US government organizations, ports, and automotive companies.
LockBit operates as a ransomware-as-a-service operation, with a core handful of members creating its malware and running its website and infrastructure. This core group licenses its code to “affiliates,” who launch attacks against companies, steal their data, and try to extort money from them. “LockBit is the last of the ‘open affiliate’ ransomware-as-a-service offerings, meaning anyone willing to cough up the cash can join their program with little or no vetting,” Liska says. “They likely have had hundreds of affiliates over the course of their run.”
LockBit affiliates have demanded millions of dollars from companies they hack—in one instance asking for $60 million from a car dealer based in the UK and recently setting a $800,000 ransom for a nonprofit hospital. If companies refuse to pay, their data is published online. Earlier this month, LockBit posted 43 GB of data allegedly stolen from defense firm Boeing. Cybersecurity firm Secureworks, which has published a new analysis of the group, says LockBit’s leadership “ceded control to its affiliates” and essentially had “little oversight over affiliates’ actions or choice of victims.” This approach allowed the group to grow quickly but also added an “element of chaos” into its actions, according to Secureworks.
“They are quite indiscriminate in their targeting,” says Brett Callow, a threat analyst at antivirus company Emsisoft. The police action is likely to be the “most significant ransomware disruption” against a ransomware group to date, Callow says. He says the group has had a “cockroach-like resilience” since it was created, and that the law enforcement action is likely to send “shockwaves” through the largely Russian ransomware ecosystem. “Anybody who collaborated with LockBit will be concerned that law enforcement are now in possession of info that will point to them.
As part of the law enforcement operation, officials say they have obtained a huge trove of information about the operation of LockBit and who its members may be. More than 200 cryptocurrency wallets linked to the group have been seized. Also within the gathered information is company data from ransomware attacks where victims have paid a ransom to LockBit, according to the NCA. “Even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the police force says. The law enforcement bodies involved in the takedown have also obtained decryption keys for companies and organizations that have had their data locked but not paid to regain access.
Jon DiMaggio, chief security strategist at Analyst1 who has studied the group for years and been in constant contact with its leadership, says LockBit stands out from other cybercrime groups due to its “disciplined” and professionalized nature. The ransomware group has issued updates to its malware and encryption technologies multiple times and tried to stay under the radar, compared to other ransomware groups which have bragged about their activities.
DiMaggio says the leader of LockBit, who uses the online persona LockBitSupp, appears not to have been a technically skilled hacker themselves but more likely had a “background” in running a business and handling money. “They literally [ran] it like it was a legitimate business,” DiMaggio says, adding that the group has strictly controlled the systems its core members use to communicate and that LockBitSupp appears to have been skilled in their operational security.
However, LockBit has also fallen into some boasting and grandstanding. The group organized an essay writing competition on a Russian-language cybercrime forum, with paid prizes for the winners. The most bizarre incident happened in September 2022 when the group offered to pay $1,000 to anyone who got a tattoo of its logo. Around 20 people posted photos and videos of tattoos on their arms, legs, wrists, and more. The group has also offered a bounty of $10 million if someone successfully found and published the real name of the person behind LockBitSupp.
As part of the operation against LockBit, law enforcement officials have repurposed the group's own leak website where it published information about victims. The website now displays—in the style of LockBit—links to the police press release, sanctions, and ransomware recovery tools. Officials say they are planning to publish more information about the group and its activities every day. One icon on the seized LockBit website teases that the identity of LockBitSupp may be revealed this week.
The takedown of LockBit comes as law enforcement agencies around the world have taken a progressively more aggressive approach to cybercrime groups in recent years. Police forces and even military hacking groups have successfully taken operations offline, in some cases claiming to create and share decryption keys to unlock encrypted files. These actions have often been accompanied by sanctions and indictments for key members of the cybercrime underground. The result has been a splintering of the cybercrime ecosystem with large-scale ransomware groups such as Conti and Trickbot breaking up, and some of their members reforming as smaller, less effective ransomware groups.
The takedown operation has—for the time being, at least—stopped one of the most long-lasting, notorious, and persistent ransomware groups. But it comes as payments to ransomware groups have hit record highs, and the threat to businesses remains prolific. Data released by cryptocurrency-tracing firm Chainalysis at the start of February revealed that across the whole of 2023, ransomware payments exceeded more than $1.1 billion—the highest they’ve ever been. Many criminals are also based in Russia, which has largely turned a blind eye to their actions and very rarely extradites those wanted abroad.
While the LockBit takedown is significant, it may be only temporary. Previous ransomware groups have reformed as new brands and continued their hacking and extortion. “Disruption of the LockBit ransomware service would seriously slow down the number of ransomware attacks, even though it might be temporary,” Recorded Future’s Liska says.
Perhaps more than anything else, the takedown is likely to send a message to LockBit’s affiliates and act as a sign that the group’s brand is tainted. A screenshot shared by cybersecurity research website VX-Underground appears to show a message received by LockBit affiliates trying to log in to its systems: “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank LockbitSupp and their flawed infrastructure for this situation … we may be in touch with you very soon.”
In recent weeks, DiMaggio says, the LockBitSupp administrator has been behaving more erratically after being banned from two prominent Russian hacking forums. However, DiMaggio believes they may try to bring the group back under the same name. “The guy’s ego is so big and he’s so attached to that brand, I truly do not think that he will rebrand,” DiMaggio says. “Hopefully, it’ll be a watered-down version, and hopefully the real elite affiliates that now work for him will be concerned about working for him again.”
Updated: 2/20/2024, 9:28 am EST: This story has been updated with more details about the takedown of LockBit.
