LockBit cartel disrupted "at every level" – Europol

LockBit cartel was humiliated with law enforcement agencies from the UK, USA, and Europol issuing official an announcement on the gangs' bust via LockBit's leak site. Data samples that authorities provided suggest the cartel has been penetrated to its very core.

In an unprecedented display of showmanship, law enforcement agencies from ten countries chose to announce the results of the months-long Operation Cronos, led by the UK National Crime Agency (NCA), using the ransomware cartel's online infrastructure. A message at the bottom of the blog says that LockBit's websites will be closed down on February 24th.

"The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom," Europol said.

The operation against LockBit appears to be a very thorough one, with authorities providing numerous screenshots of LockBit's backend, which includes admin panel conversations and crypto addresses, which at least in theory should allow to follow the movement of illegal funds.

Operation Cronos Lockbit
Authorities announce the results of actions against LockBit. Image by Cybernews.

"Two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. The French and US judicial authorities have also issued three international arrest warrants and five indictments. Authorities have frozen more than 200 cryptocurrency accounts linked to the criminal organization, underscoring the commitment to disrupt the economic incentives driving ransomware attacks," Europol's statement reads.

The NCA claims to have taken over parts of the LockBit technical infrastructure that allows its service to operate, including the gang's leak site. Moreover, the agency obtained over 1,000 decryption keys, which will allow victims to regain access to data that cybercrooks have encrypted.

"At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to these criminal activities," reads the announcement.

According to NCA, the authorities managed to disrupt LockBit's Stealbit exfiltration tool, seizing its supporting servers in three different countries and dozens of severs owned by LockBit's affiliates. The authorities claim to have also obtained LockBit's source code.

LockBitSupp in trouble

Information law enforcement posted on what used to be LockBit's leak site points to further announcements, including revealing the identity of LockBitSupp, the key individual or individuals behind the notorious ransomware cartel. That could prove dangerous to people behind the gang as they have antagonized many in the Russian cyber underworld.

According to the authorities, LockBitSupp has been banned from using its own platform, further adding salt to the hackers' injury. The messaging law enforcement agencies chose indicates a stream of information regarding LockBit's affiliates, the backbone of any ransomware cartel.

The US Department of Justice (DoJ) also unsealed an indictment charging Russian nationals Artur Sungatov and Ivan Kondratyev, a/k/a “Bassterlord,” with using the LockBit ransomware variant. Previous charges against the cartel's actors include Mikhail Vasiliev, Ruslan Magomedovich Astamirov, and Mikhail Pavlovich Matveev (Wazawaka).

"Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit is locked out. We have damaged the capability and, most notably, the credibility of a group that depended on secrecy and anonymity," Graeme Biggar, NCA's Director General, said.

LockBit victim
LockBit admin panel samples. Image by the NCA.

The beginning of the end

On February 19th, law enforcement agencies disrupted LockBit’s activity by seizing the gang’s website domains in what authorities called “Operation Cronos.” LockBit's affiliate panel, used to interact with victims and monitor the attack process, greeted criminals with a message from the NCA, saying all of the data was in the hands of law enforcement agents.

The message even directed criminals to reach out to the NCA first. The message closely mimics the type of rhetoric ransomware cartels use on their victims.

Moreover, virtually all domains of LockBit’s dark web blog, used to showcase its latest victims, greeted users with a message from law enforcement, saying that “the site is now under the control of law enforcement.”

"We can confirm that LockBit's services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation," read the notification on what used to be LockBit's leak site.

While LockBit victimized organizations all over the Western hemisphere, several of the high-profile attacks targeted well-known British names important to the national psyche. One such case was a much-publicized ransomware attack against the Royal Mail.

Royal Mail partially suspended operations after a breach was disclosed in November 2022. LockBit demanded the British postal service pay an $80 million ransom, which the organization refused.

LockBit money transfer
LockBit admin panel samples. Image by the NCA.

Who is LockBit?

The LockBit group first appeared on the ransomware scene sometime in late 2019, according to industry insiders. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.

Even though the gang tried to maintain a fake image of 'ethical' criminals, its affiliates did not restrain from attacking public institutions. In early February, attackers breached Saint Anthony Hospital, a non-profit children's hospital. In January, LockBit claimed an attack against Saint Anthony Hospital in Chicago.

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa. The gang’s notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said. The variant also happens to share similarities with two other Russian-linked ransomware, BlackMatter and ALPHV, the DOJ said.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

The gang's key persona is a Russia-based individual under the moniker LockBitSupp. According to Jon DiMaggio, Chief Security Strategist at Analyst1, the individual or individuals behind the admin account fiercely compete in the ransomware world, conducting smear campaigns against rivals.

DiMaggio believes LockBitSupp is closely related to other major ransomware operators in Russia, a hotspot for ransomware activity. Cybercriminals can safely operate under Moscow's rule as Russia's law enforcement turns a blind eye to the export of cybercrime as long as ransomware gangs don't target local organizations.

Most of the key ransomware operators explicitly forbid affiliates to target organizations in Russia and members of the Moscow-led Commonwealth of Independent States (CIS).