A massive law enforcement operation has seized the “command and control” infrastructure for the international ransomware group LockBit, the UK’s National Crime Agency (NCA) revealed on Tuesday, and will repurpose the technology to expose the group’s operations to the world.
The joint operation, between the NCA, the FBI, Europol and a coalition of international police agencies, was revealed with a post on LockBit’s own website, which read: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement taskforce Operation Cronos.”
Two LockBit actors have been arrested in Poland and Ukraine, and a further two defendants, thought to be affiliates, have been arrested and charged in the US. Two more individuals have been named, but are Russian nationals still at large. Authorities have also frozen more than 200 cryptocurrency accounts linked to the criminal organisation.
Disruption to the LockBit operation is significantly greater than first revealed, the NCA said. As well as taking control of the public-facing website, the agency seized LockBit’s primary administration environment, the infrastructure that allowed it to manage and deploy the hacking technology that it used to extort businesses and individuals around the world.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said Graeme Biggar, the NCA’s director general.
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
The organisation is a pioneer of the “ransomware as a service” model, whereby it outsources the actual target selection and attacks to a network of semi-independent “affiliates”, providing them with the tools and infrastructure and taking a commission on the ransoms in return.
As well as ransomware, which typically works by encrypting data on infected machines and demanding a payment for providing the decryption key, LockBit copied stolen data and threatened to publish it if the fee was not paid, promising to delete the copies on receipt of a ransom.
However, the NCA said that promise was false. Some of the data it discovered on LockBit’s systems belonged to victims who had paid the ransom.
The home secretary, James Cleverly, said: “The NCA’s world leading expertise has delivered a major blow to the people behind the most prolific ransomware strain in the world.
after newsletter promotion
“The criminals running LockBit are sophisticated and highly organised, but they have not been able to escape the arm of UK law enforcement and our international partners.”
The “hack back” campaign also recovered more than 1,000 decryption keys earmarked for victims of LockBit’s attacks, and will be contacting those victims to aid them in the recovery of encrypted data.
In a blogpost last month, the former National Cybersecurity Centre boss, Ciaran Martin, said the involvement of Russian hackers in cybercrime undercuts many common tactics of law enforcement. “Impose costs when we can: there are things we can do to harass and harry cyber criminals,” he warned. “But this will not be a strategic solution for as long as the Russia safe haven exists.”
