NCA Takes Down LockBit, World's Most Dangerous Cyber Crime Group

Introduction

The National Crime Agency (NCA) has launched an international campaign targeting LockBit, the world's most harmful cyber crime group. The NCA, working with the FBI and international partners from nine other countries, has been investigating LockBit as part of a dedicated task force called Operation Cronos. They have taken control of LockBit's services, compromising the entire criminal enterprise.

‍

The UK's National Crime Agency has taken control of LockBit's technical infrastructure and their dark web leak site, which previously hosted ransomware data.

The NCA's efforts have been successful in disrupting the LockBit threat, with a total of 34 servers seized and two LockBit actors arrested.

The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organizations throughout the world. 

Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.

‍

Through Operation Cronos, significant milestones have been achieved:

• Two LockBit actors have been arrested in Poland and Ukraine at the request of French judicial authorities.
• Three international arrest warrants and five indictments have been issued by French and U.S. judicial authorities.
• Authorities have frozen over 200 cryptocurrency accounts linked to the criminal organization, underscoring their commitment to disrupt economic incentives driving ransomware attacks.
• The agency has obtained the LockBit platform's source code and intelligence from their systems about their activities and those who have worked with them.
• Data retrieved from LockBit's systems revealed victim information, including those who paid ransoms.
• The Operation Cronos task force seized infrastructure and 28 servers belonging to LockBit affiliates.
• The US Department of Justice has announced that two defendants responsible for using LockBit to carry out ransomware attacks have been criminally charged and will face trial in the US.

“Our work does not stop here. We know Lockbit will likely try to regroup and rebuild their criminal enterprise. However, we will be watching and we will not stop in efforts to target this group and their associates.” The agency said.

‍

These coordinated efforts to dismantle ransomware operations are crucial in combating cybercrime and protecting businesses and individuals from being victimized. The collaboration between U.S. and U.K. law enforcement demonstrates the global reach and impact of these criminal organizations, as well as the commitment to holding them accountable for their actions. By obtaining keys to decrypt systems and assisting victims in regaining access to their data, authorities are not only disrupting criminal operations but also providing much-needed relief to those affected by these attacks. The dismantling of LockBit is a significant victory in the ongoing fight against ransomware, but it serves as a reminder of the constant vigilance and cooperation needed to combat this evolving threat.

As an Incident Responder, if you would like to investigate a LockBit Ransomware incident, you can use this free LockBit challenge: