News Hub

Ransomware group LockBit disrupted by the UK’s NCA along with FBI and Europol

Written by Wed 21 Feb 2024

One of the world’s most notorious ransomware groups, LockBit, has been disrupted by the UK’s National Crime Agency (NCA) along with the Federal Bureau of Investigation (FBI), and Europol.

Operation Cronos resulted in the NCA seizing control of LockBit’s main administration platform, ‘compromising their entire criminal enterprise’. Affiliates utilise this platform to coordinate attacks and manage their dark web leak site, where they threaten to publish stolen data. 

Now, the site will feature daily exposés by the NCA revealing LockBit’s capabilities and operations.

“The criminals running LockBit are sophisticated and highly organised, but they have not been able to escape the arm of UK law enforcement and our international partners,” said James Cleverly, the UK Home Secretary.

LockBit used a custom tool called Stealbit to exfiltrate data. The infrastructure of LockBit was seized across three countries by members of the Operation Cronos taskforce. A total of 28 servers belonging to LockBit affiliates were taken offline.

A Celebration and Warning for Businesses

The NCA also acquired the LockBit platform’s source code and intelligence from their systems. This revealed insights into their activities and associates who utilised their services to harm organisations worldwide.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” said the NCA.

Jake Moore, Global Cybersecurity Advisor at ESET, said LockBit’s disruption shows the successes of law enforcement agencies working together. Moore stressed that ‘locating enough evidence is the most difficult aspect in any cybercrime investigation’.   

“The takedown of LockBit’s website will be a massive blow to cybercriminals and although it will not eradicate the problem, it will disrupt the criminal network potentially saving businesses millions of pounds in targeted activity,” added Moore. 

Regional Manager for Northern Europe at Hornetsecurity, Irvin Shillingford, said despite the success of LockBit’s takedown, businesses should not become complacent to future attacks.

With the rise in generative artificial intelligence (AI), threat actors are finding easier ways to deliver more realistic attacks, while phishing hacks remain the number one way hackers can overcome cyber defences.

“Businesses must continue to deliver continual improvements to their cyber defence strategies, which combine best cybersecurity practices as well as increased cyber awareness training,” added Shillingford.

Shillingford said doing so is necessary to remain protected against these ever-growing cyberthreats. 

Commitment Made to Preventing Future LockBit Attacks

The NCA said the technical disruption marks only the start of actions against LockBit and its affiliates. In a broader coordinated effort led by Europol, two LockBit actors were arrested in Poland and Ukraine, and over 200 cryptocurrency accounts associated with the group were frozen.

The US Department of Justice announced the criminal charging and custody of two defendants responsible for ransomware attacks through LockBit, who will face trial in the U.S. Indictments against two Russian nationals were unsealed for conspiring to carry out LockBit attacks.

 “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation,” said Merrick B. Garland, the U.S. Attorney General.

The NCA has acquired over 1,000 decryption keys and will soon contact UK-based victims to offer support and help recover encrypted data. The FBI and Europol will be supporting victims elsewhere.

Director General of the NCA, Graeme Biggar, stressed the Agency’s work does not stop here, as LockBit may seek to rebuild their criminal enterprise.

“We know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” said Biggar.

Director of the FBI, Director Christopher A. Wray, said the operation showcases the FBI’s capability and dedication to safeguarding the nation’s cybersecurity and national security.

“We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable,” said Wray.

However, Chester Wisniewski, Director and Global Field Chief Technology Officer at Sophos, expressed scepticism towards LockBit’s continued disruption. Wisnieski stressed that much of LockBit’s infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.

“We must continue to band together to raise their costs ever higher until we can put all of them where they belong: in jail,” said Wisniewski.

What does LockBit do? 

Operating for over four years, LockBit launched prolific ransomware attacks worldwide. Their targets suffered billions in losses from ransom payments and recovery costs. The group offered ransomware-as-a-service to a global network of hackers, providing tools and infrastructure for attacks.

LockBit’s malicious software infected victims’ networks, stealing their data and encrypting their systems. Victims were then demanded cryptocurrency ransom to decrypt files and prevent data publication.

Last week, LockBit said it was responsible for a cyberattack on the US subsidiary of Indian digital services company, Infosys. The ransomware group’s attack affected more than 57,028 Infosys McCamish Systems users.

In January, LockBit claimed to have breached and stolen corporate data from Subway, prompting the company to investigate the attack on its IT systems. 

The ransomware group issued a deadline of 2 February for the fast food company to secure its compromised data. If no action was taken, LockBit threatened to sell the stolen information to the sandwich chain’s competitors.

In November, a division of the Industrial and Commercial Bank of China (ICBC) experienced a ransomware attack. The attack caused disruptions in the US Treasury market, resulting in the clearing of fixed-income and equity trades. LockBit was suspected to be behind the ICBS attack however, this was not confirmed.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Wed 21 Feb 2024

Send us a correction Send us a news tip