A multinational operation involving law enforcement agencies from 11 countries has struck a decisive blow to the LockBit group, the world’s most prolific ransomware-as-a-service (RaaS) gang.
A taskforce of 17 agencies including the FBI, the UK’s National Crime Agency (NCA), and Europol took control of key LockBit infrastructure including numerous dark web websites.
The takedown of the Russian-speaking gang’s operations is the latest in a growing number of actions that have disrupted cybercriminal groups’ activities over recent months.
An FBI official told Bloomberg law enforcement from 11 different countries took part in the operation, which seized 11,000 domains used by LockBit and its ransomware affiliates. The operation, which disrupted LockBit’s infrastructure and targeted its malware deployment system, took place over recent days, the official said.
An NCA spokesperson confirmed LockBit’s operations had been “disrupted as a result of international law enforcement action”.
‘We know what you’ve been up to,’ affiliates warned
As a result of the takedown, several LockBit dark web websites were displaying messages indicating they were under NCA control, following the actions of an international taskforce called “Operation Cronos”.
LockBit affiliates attempting to log into the RaaS group’s administrative panel were greeted with a message advising them that law enforcement agencies had taken control of the gang’s platform and obtained all the information it held, according to a screenshot shared by vx-underground.
“This information relates to the LockBit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more,” the message said.
The dismantling of LockBit’s assets adds to the list of recent aggressive actions authorities have taken against high-profile cybercriminal gangs.
In a similar takedown in January 2023, U.S. and international law enforcement authorities seized U.S.-based servers belonging to the Hive ransomware gang, and shutdown dark net sites run by the group.
Another major ransomware player, ALPHV/Black Cat appeared to be the victim of disruptive law enforcement action in December.
Last month the FBI took down a botnet of compromised small office/home office (SOHO) routers run by Chinese state-sponsored threat group Volt Typhoon. This month the agency dismantled another SOHO router botnet controlled by APT28, a threat group linked to Russia’s intelligence service.
Is this the end for ransomware’s top dog?
In 2023, ransomware groups collectively hauled in more than $1 billion in global annual revenue from their victim for the first time.
LockBit was established in 2019 and according to a report compiled the U.S. and international agencies last year, carried out about 1700 attacks between 2020 and mid-2023, extorting approximately $91 million from U.S. victims alone over the same period.
Some of the gang’s notable victims in recent months have included the Canadian Government, a U.S. subsidiary of a Chinese Bank, and a UK security fencing company.
“Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world,” Malwarebytes Labs cybersecurity evangelist Mark Stockley said in a post about the Operation Cronos takedown.
“In the last 12 months it has racked up more than two and half times as many known attacks as ALPHV, its closest rival.”
While LockBit has experienced difficulties in the past, including the 2022 leaking of its LockBit 3.0 source code, it now appears to be facing its biggest challenge for survival.
Assuming the gang was able to regroup after the takedown and rebuild its criminal infrastructure, the disruption would likely scare the affiliates who used LockBit’s ransomware tools and, in return, paid the gang a portion of the revenue they extorted.
“Even if LockBit can rebuild its infrastructure elsewhere those affiliates now have every reason to question its credibility,” Stockley said.
