In a significant blow to cybercrime, law enforcement agencies have successfully infiltrated and disrupted the notorious ransomware syndicate LockBit, responsible for extorting $120 million from thousands of victims worldwide. The operation, led by Britain's National Crime Agency (NCA), resulted in the arrests of two individuals in Poland and Ukraine and the seizure of 200 cryptocurrency accounts. The U.S. Justice Department also unsealed indictments against two Russian nationals linked to the syndicate.
LockBit, known for its ransomware-as-a-service model, has been a dominant force in the cybercrime landscape since 2019, accounting for 23% of global ransomware attacks last year. The group has targeted high-profile organizations, including the U.K.'s Royal Mail, Britain's National Health Service, Boeing, Allen and Overy, and ICBC.
Authorities gained "comprehensive access" to LockBit's systems, taking control of its infrastructure and obtaining decryption keys to aid victims. "We have hacked the hackers," declared NCA's director general, Graeme Biggar. "LockBit has been locked out." The operation, dubbed Operation Cronos, involved collaboration with the FBI and agencies from Germany, France, Japan, Australia, New Zealand, Canada, and Europol.
The disruption of LockBit is considered one of the most significant ransomware disruptions to date. However, experts caution that the syndicate may re-emerge under a new name. "Lockbit will likely go quiet for a time and come back as a re-branded organization," said Nick Hyatt, Director of Threat Intelligence at BlackPoint. "Organizations need to practice good security hygiene, understand their threat profiles, and have visibility into data that may be available on the Dark Web."
The operation aimed to steal all of LockBit's data and destroy its infrastructure, causing a major degradation of the cybercrime threat. Despite the lack of evidence linking LockBit to state sponsorship, officials suggest that Russia's tolerance of the gang's activities indicates a level of complicity.
This operation sends a clear message to ransomware syndicates that law enforcement is vigilant, but it also highlights the ongoing threat of ransomware, which remains a billion-dollar industry. Governments, law enforcement, and the security industry must continue their efforts to provide alternative means of recovery and disrupt the ransomware landscape.