Lockbit cybercrime gang disrupted by international law enforcement operation

NCA official said operation is still ongoing and developing to take control of Lockbit's tools, data and servers
An undated image displaying a hacker. — Unsplash
An undated image displaying a hacker. — Unsplash

An international law enforcement operation jointly conducted by a coalition — including Britain’s National Crime Agency, the US Federal Bureau of Investigation (FBI), Europol and international police agencies — disrupted a prolific cybercrime gand known as Lockbit, as per a post on the gang's extortion website on Monday. 

The post stated, “This site is now under the control of the National Crime Agency (NCA) of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

Following the crackdown on the gang, an NCA official said the operation is still "ongoing and developing". 

Read more: OpenAI, major tech giants sign accord to fight AI-assisted meddling in US election

Despite having lost the control of a trove of their servers, data, websites, the gang posted on an encrypted messaging app that the operation by law enforcement agencies did not impact their backup servers. 

Alongside the top agencies, they also mentioned other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany in the post on the messaging app. 

What is LockBit ransomware gang?

Discovered in 2020, Lockbit is best known for attacking some of the world’s largest organisations over the past few months. Their sole source of money-making is stealing confidential data and threatening to publicise it if the ransom is not paid by the victim. Being like-minded hackers with similar intentions, the associates of the ransomware group are to launch attacks using Lockbit’s digital extortion tools.

“They are the Walmart of ransomware groups, they run it like a business–that’s what makes them different. They are arguably the biggest ransomware crew today,” said Jon DiMaggio, chief security strategist at Analyst1, a US-based cybersecurity firm.

Lockbit, a ransomware gang, has not declared allegiance to any government and has not been officially linked to a specific nation-state. The group claimed to be based in the Netherlands, stating that it is apolitical and solely focused on financial gain. 

According to cybersecurity research website vx-underground, Lockbit made a statement in Russian on the encrypted messaging app Tox, alleging that the FBI targeted its servers running on PHP but stated that they have backup servers that "are not touched"

vx-underground posted screenshots on X, formerly known as Twitter, showing Lockbit's control panel used to launch attacks replaced with a message from law enforcement: "We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more", it said.

"We may be in touch with you very soon" it added. "Have a nice day".

Lockbit's website used to showcase a constantly expanding collection of victim organisations, updated almost daily. Each organisation's name was accompanied by a digital clock indicating the number of days remaining until the ransom payment deadline. 

However, on Monday, Lockbit's site featured a different countdown from law enforcement agencies who had successfully hacked the hackers. The post stated, "Return here for more information at: 11:30 GMT on Tuesday 20th Feb."

Victims of Lockbit ransomware group

In the US, Lockbit has targeted over 1,700 organisations across various industries. They have been described as the top ransomware threat globally. The group has leaked internal data from Boeing and caused significant disruption to Britain’s Royal Mail. 

Where is Lockbit based?

In 2020, the notorious hacker group's malicious software was spotted on Russian-language cybercrime forums, which led to security analysts believe that the group was based in Russia.