Global Law Enforcement Disrupts LockBit Ransomware Gang

February 20, 2024

An international law enforcement operation, named Operation Cronos, has successfully disrupted the activities of the notorious LockBit ransomware group. This operation was a collaboration between authorities from the US, Canada, UK, Europe, Japan, and Australia. The authorities have seized control of the group's platform and acquired data related to its global ransomware-as-a-service (RaaS) operation. The seized information includes source code, details of ransomware victims, stolen data, decryption keys, and the amount of money extorted by LockBit and its affiliates.

The news of the operation was first reported on February 19 when a screenshot of a message from the authorities was posted on the Vx-Underground account on the X (formerly Twitter) platform. The message cited 'Lockbitsupp [sic] and its flawed infrastructure' as the reason for the seizure. It was signed by the FBI, the National Crime Agency (NCA) of the UK, Europol, and the Operation Cronos Law Enforcement Task Force. The NCA later confirmed the law enforcement activity in a press release. They have taken control of LockBit's primary administration environment and the group's public-facing leak site.

The authorities have also seized the LockBit platform's source code and gathered a significant amount of intelligence about their activities and their collaborators. They have also obtained a thousand LockBit decryption keys. The respective authorities will be contacting the victims to help them use these keys to recover their data. 'LockBitSupp' is the technical support service that operates the LockBit operation. The account status of LockBitSupp on the Tor messaging service now shows a message stating that authorities breached the ransomware operation's servers using a PHP exploit. This exploit is tracked as CVE-2023-3824.

The NCA did not confirm how the authorities breached LockBit's operations, but they stated that this technical infiltration and disruption is only the start of a series of actions against LockBit and its affiliates. As a part of this group effort, Europol arrested two LockBit actors in Poland and Ukraine. More than 200 cryptocurrency accounts linked to the group have also been frozen.

LockBit is one of the world's largest RaaS operations. It has been aggressively targeting organizations and their data with custom malware tools and a network of cybercriminal affiliates since 2019. Between 2020 and June of last year, the group extorted around $91 million across 1,700 cyberattacks in attacks against US organizations. LockBit initially targeted small and midsize companies, but over the years, they have started to target larger and more recognizable organizations. Some of its recent victims include aviation manufacturer Boeing, sandwich maker Subway, Hyundai Motor Europe, and Bank of America, among others.

Despite the recent law enforcement actions, experts believe that these actions will only slow down the group's pace of attacks in the immediate future, but they probably won't completely stop LockBit and its affiliates from participating in ransomware activity. This is evidenced by the resurgence of the BlackCat/AlphaV and Cl0p gangs after their dismantling.

Latest News

• Critical Security Flaw Actively Exploited, Leaving Over 28,500 Exchange Servers at Risk
• SolarWinds Patches Critical RCE Vulnerabilities in Access Rights Manager
• CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• Critical Web Application Vulnerabilities Threatening Credit Unions Uncovered by LMG Security
• Critical Security Flaws Leave Over 13,000 Ivanti Gateways at Risk