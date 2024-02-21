In a coordinated operation revealed on Monday, an international coalition of law enforcement agencies executed a significant disruption of Lockbit. Lockbit is one of the most prolific and technologically advanced ransomware gangs.

The disruption was conducted via a joint task force led by Britain’s National Crime Agency, the U.S.

Federal Bureau of Investigation, Europol’s European Cybercrime Center, supported by Interpol. Police organizations from over a dozen countries contributed, including France, Japan, Switzerland, Canada, Australia, Sweden, Netherlands, Finland, and Germany.

Joint Task Force Led by U.K., U.S., and Europol Takes Control of Infrastructure

Lockbit’s leading extortion site is now displaying a takeover message from authorities. The National Crime Agency stated that “This site is now under the control of the National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos.'”

The NCA and the Department of Justice later confirmed the action while characterizing it as ongoing and actively developing. U.S. cybersecurity officials labeled Lockbit the number one ransomware threat worldwide.

Notably, it is responsible for attacks on over 1,700 organizations globally, spanning nearly every primary industry vertical. These include healthcare, financial services, transportation, food production, education, I.T. services, and government departments at the federal, state, and local levels.

The group operates via a ransomware-as-a-service model, providing digital extortion tools and infrastructure to ‘affiliates’ – cybercriminals who conduct attacks and receive a share of profits.

After infiltrating a target’s systems, Lockbit steals and encrypts sensitive data, demanding exorbitant cryptocurrency payments to decrypt the information and prevent its publication.

On Lockbit’s now-defunct dark web extortion site, a gallery displayed new victims nearly daily alongside pending deadlines for meeting ransom demands. An automated clock tracked payments, pressuring organizations to pay before data leaks or corrupted systems caused catastrophic damage.

For affiliates, Lockbit provided access to this infrastructure through a customized control panel. This panel enables them to launch attacks, monitor communications with victims, and track ransom payments deposited to the gang’s cryptocurrency wallets.

FBI Gains Access to Internal Data on Extortion and Proceeds

According to private messages from Lockbit affiliates, the FBI takeover encompassed the backend attack control panel. Images circulated on hacking forums showed the panel defaced with a message asserting authorities had obtained voluminous internal data.

This includes “source code, details of the victims that have been attacked, the amount of money extorted, the data stolen, chats, and much more.” The message further taunted, “We may be in touch with you very soon” – an indication that law enforcement aims to now identify and prosecute Lockbit affiliates and neutralize the gang’s technological infrastructure.

Access to financial records may also open avenues for seizing extorted funds and returning them to victims. Lockbit has asserted via encrypted messaging that the infiltration only affected a portion of its server architecture, claiming unaffected backup servers without the impacted PHP-based systems.

However, multiple cybersecurity experts characterized the operation as dealing a meaningful blow. Don Smith of SecureWorks labeled them “the most prolific and dominant ransomware operator in a highly competitive underground market,” with a share of over 25% that dwarfs competitors.

Smith further emphasized that given Lockbit’s size, sophistication, and dominance, “today’s takedown is highly significant” despite lingering uncertainty regarding the group’s neutralization.

However, with extensive infrastructure compromised, authorities now possess amplified means to mitigate and prevent attacks and newly exposed leads for identifying perpetrators.