Two Arrested In LockBit Ransomware Gang Takedown

Handcuffs on a computer keyboard. Police, security, crime. © Oleksiy Mark Shutterstock

Two LockBit actors arrested in Poland and Ukraine as UK NCA-led Operation Cronos takes down international ransomware infrastructure

Law enforcement arrested two actors in the LockBit ransomware gang in Poland and Ukraine on Tuesday morning, according to the UK National Crime Agency (NCA), which said authorities had disrupted the gang’s “entire criminal enterprise”.

The NCA worked with the FBI, Europol and law enforcement from nine other countries on the operation, called Cronos, authorities said.

Over the past 12 hours the infrastructure for LockBit’s bespoke data exfiltration tool, called Stealbit, has been seized by members of the task group across three countries, the NCA said.

Some 28 servers belonging to LockBit affiliates have also been taken down, the NCA said.

lockbit 02

‘Thousands of victims’

LockBit, which came to prominence in 2020 and 2021, was set up as a ransomware-as-a-service model in which affiliate hackers use its tools and infrastructure to carry out attacks.

A study last month found it was last year’s most prolific ransomware group, with past targets including Boeing, Royal Mail Group and the City of Oakland.

“LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery,” the NCA said.

The group typically encrypted targets’ networks and also stole sensitive data, charging a double ransom to unlock the systems and refrain from publishing the data.

lockbit hacking

Arrests

The NCA said it planned to publish a series of daily information articles on the site LockBit used to publish stolen data, which the NCA seized late on Monday.

The agency said it found data on LockBit’s systems belonging to targets that had paid a ransom, showing that the group had not deleted the data as promised.

In a wider action coordinated by Europol, two LockBit actors were arrested in Poland and Ukraine on Tuesday morning and more than 200 cryptocurrency accounts linked to the group were frozen.

The US Department of Justice said two defendants who acted as LockBit affiliates have been criminally charged, are in custody and are to face trial in the US.

Decryption keys

The US unsealed indictments against two further individuals, Russian nationals, for conspiring to commit LockBit attacks.

The NCA has obtained more than 1,000 decryption keys and said it would be contacting UK-based targets in the coming days and weeks to help them recover encrypted data, with the FBI and Europol assisting targets elsewhere.

“No criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners,” NCA director general Graeme Biggar said.

He acknowledged that the hackers may seek to rebuild their enterprise. “However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” Biggar said.

Server backups

An account used by LockBit’s operators said on Monday that the group had “backup servers without PHP” that “can’t be touched” by law enforcement.

Agencies apparently used a PHP exploit to attack the group’s servers.

Europol said 34 LockBit servers had been taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.

“This infrastructure is now under law enforcement control, and more than 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement,” Europol said.