author photo
By Cam Sivesind
Tue | Feb 20, 2024 | 10:31 AM PST

In a massive coordinated effort, law enforcement agencies from the United States and United Kingdom have dismantled the infrastructure of the notorious LockBit ransomware gang. LockBit has been linked to more than $100 million in ransom payments from victims across the globe since 2021. This takedown serves as a stern warning to cybercriminal groups that authorities are fighting back.

LockBit operated what is known as a "ransomware-as-a-service" model, allowing affiliates to use their malware to infect targets with ransomware and then take a cut of any ransom payments. This decentralized structure made LockBit challenging to track.

However, international law enforcement agencies were able to penetrate the operation. Europol covertly gained access to LockBit's servers and shared decryption keys with victims, enabling many to recover their data without paying ransoms. Authorities also seized more than $1 million of cryptocurrency from LockBit.

Several international police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland, and Germany are reported to have been involved with the takedown. The joint operation was known as "Operation Cronos."

LockBit's own data leak website had the following banner message posted: 

"The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos. We can confirm that LockBit's services have been disrupted as a result of International Law Enforcement action—this is an ongoing and developing operation."

The arrests of several alleged LockBit members have also been reported. While the ringleaders remain at large, these actions have severely disrupted LockBit's operations. Cybersecurity experts have observed a noticeable drop in LockBit activity.

"Although a partial takedown of the world's most prolific ransomware gang is a huge win for global law enforcement, it likely won't be fatal for LockBit," said Toby Lewis, Global Head of Threat Analysis at Darktrace. "It's probable we'll see them go underground to regroup, re-tool, and come out again swinging. One interesting aspect, however, is LockBit's reputation. Their affiliate model means reputation matters, and LockBit may struggle to retain credibility following this shutdown, even if they attempt a re-launch. They'll likely do what any business would do—rebrand."

Lewis added: "There will certainly be a lot of good from this. Law enforcement officials have seized nearly 1,000 decryption keys, so I'm optimistic that many of the current victims will be able to unlock their data and systems. And in the longer term, they could go on to turn the affiliate model on itself, using chat logs and information from private forums to pursue, shut down, and arrest LockBit's network of affiliates."

This crackdown is a reminder that government agencies have sophisticated cyber capabilities. With cooperation across borders, even the most slippery online criminal groups are not beyond the reach of the law. The authorities have sent a message that ransomware will not be tolerated.

However, cybercriminals adapt quickly. Ransomware remains a lucrative enterprise, with new variants and groups emerging all the time. So this victory cannot cause complacency. Government and businesses must remain vigilant, continuing to strengthen cyber defenses and resilience against ransomware threats. But for now, the dismantling of LockBit deals a serious blow to one of the most far-reaching ransomware scourges.

[RELATED: International Authorities Take Down Ragnar Locker Ransomware Group]

Other cybersecurity experts agree that this likely is not a fatal blow to LockBit.

"The LockBit bust is obviously a big win for law enforcement. LockBit will likely go quiet for a time and come back as a re-branded organization, much like other ransomware organizations that have been disrupted have done," said Nick Hyatt, Director of Threat Intelligence at BlackPoint. "That said, LockBit was one fish (albeit a big one) in a sea of ransomware gangs. The disruption of LockBit sends a message that law enforcement is watching, but ransomware syndicates know this. Organizations need to practice good security hygiene, understand their threat profiles, and have visibility into data that may be available on the Dark Web, which is where these gangs release the data they have stolen."

Hyatt continued: "Ultimately, governments, law enforcement, and the security industry need to make a concerted effort to provide alternate means of recovery rather than paying the ransom. While disrupting LockBit is great, ransomware is still a billion-dollar industry and will remain a threat for the foreseeable future.”

The U.K. National Crime Agency (NCA) issued a news release today explaining the events. From the release:

"The NCA has taken control of LockBit's primary administration environment, which enabled affiliates to build and carry out attacks, and the group's public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host a series of information exposing LockBit's capability and operations, which the NCA will be posting daily throughout the week."

[RELATED: 48 Countries Commit to Stop Paying Ransomware Demands]