A major ransomware group that has extorted millions of dollars from its victims has been disrupted by a coordinated international operation. LockBit, a Russian-based cybercrime gang that operates on a “ransomware-as-a-service” model, has seen its website seized, its cryptocurrency accounts frozen, and some of its members arrested and charged.
What is LockBit and how does it work?
LockBit is one of the leading ransomware operators in the world, responsible for over 2,000 attacks on municipal entities and private companies across various sectors and regions. Ransomware is a type of malicious software that encrypts the files and systems of the victims, demanding a payment, usually in cryptocurrency, to restore access.
LockBit uses a “ransomware-as-a-service” model, which means that it develops and distributes the ransomware tools to affiliates, who then deploy them in attacks. LockBit also maintains an online dashboard called a “control panel” to provide the affiliates with the tools and support necessary to carry out the attacks. LockBit takes a cut of the ransom payments from the affiliates, who are often recruited through underground forums and marketplaces.
LockBit is known for its fast and automated encryption process, which can lock down a network within minutes. It also uses a double-extortion technique, which involves stealing sensitive data from the victims before encrypting their systems, and threatening to publish or sell the data if the ransom is not paid. LockBit also tries to pressure the victims by posting their names and details on its website, and by contacting their customers, partners, and employees.
How did the authorities disrupt LockBit?
The authorities launched a joint operation, dubbed Operation Cronos, to target LockBit and its affiliates. The operation involved collaboration between the U.S. Department of Justice (DOJ), Europol, and law enforcement agencies from multiple countries, including the U.K., Poland, Ukraine, Romania, France, and Australia.
The operation resulted in the following outcomes:
- The authorities seized LockBit’s website and various pages, hindering its operations and communication channels. The website now displays a message from the law enforcement agencies, warning the visitors that they are under investigation.
- The authorities froze over 200 cryptocurrency accounts linked to LockBit’s activities, blocking its access to the funds and tracing its financial transactions. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) also blacklisted 10 bitcoin and ether addresses associated with the group, banning U.S. entities from providing any financial services to them.
- The authorities arrested and charged four individuals suspected of being involved in LockBit’s activities. Two of them, Artur Sungatov and Ivan Kondratyev, are Russian nationals who were indicted in the U.S. for conspiracy to commit computer fraud and abuse, and conspiracy to commit wire fraud. The other two, whose identities have not been disclosed, are thought to be affiliates who were arrested in Poland and Ukraine.
- The authorities recovered more than 1,000 decryption keys earmarked for victims of LockBit’s attacks. The authorities will be contacting those victims to aid them in the recovery of encrypted data, without paying ransoms.
What is the impact and significance of the operation?
The operation is a significant blow to LockBit and its affiliates, who have been accused of stealing over $120 million from their victims worldwide. The operation also demonstrates the determination and cooperation of the international community to combat the growing threat of ransomware, which has been described as a “global epidemic” by the U.K. National Crime Agency (NCA).
The operation also sends a clear message to the ransomware operators and their affiliates, that they are not immune from prosecution and that their activities are not profitable. The operation also aims to deter potential victims from paying ransoms, and to encourage them to report the incidents and seek assistance from the authorities.
The NCA’s director general, Graeme Biggar, said, “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
The DOJ’s assistant attorney general, John C. Demers, said, “Today’s announcement demonstrates the Department of Justice’s commitment to working with our international partners to disrupt and dismantle ransomware groups, and to hold them accountable for their crimes, no matter where they are located.”
Europol’s executive director, Catherine De Bolle, said, “This operation shows that ransomware is not a problem that concerns only one country or region, but a global threat that requires a coordinated response from all of us.”