LONDON — Law-enforcement agencies have infiltrated and disrupted LockBit, arresting two people involved with the prolific ransomware syndicate that has extracted $120 million from thousands of victims around the world, British, American and European officials said Tuesday.
Britain’s National Crime Agency, or NCA, said it led an international operation targeting LockBit, which provides ransomware as a service to so-called affiliates who infect victim networks with the computer-crippling malware and negotiate ransoms.
The operation resulted in the arrests of two people in Poland and Ukraine and the seizure of 200 cryptocurrency accounts, officials said at a joint news conference. The Justice Department, meanwhile, unsealed indictments against two more people, both Russian nationals. Authorities said they gained “comprehensive access” to LockBit’s systems, taking control of infrastructure and obtaining keys to help victims decrypt their data.
“We have hacked the hackers,” Graeme Biggar, the NCA’s director general, said at the news conference in London. “LockBit has been locked out. “
Hours before the announcement, the front page of LockBit’s dark-web leak site was replaced with the words “this site is now under control of law enforcement,” alongside the flags of the U.K., the U.S. and several other nations.
The message said the U.K.’s NCA was “working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos.” The continuing operation also involves agencies from Germany, France, Japan, Australia, New Zealand and Canada, among others, including Europol, it said.
The announcement brings to five the number of people the U.S. has indicted since the operation began. Three Russians have previously been indicted, with two of those taken into custody, one in Canada and one in the U.S. The rest are still wanted.
“Today we have turned the tables on these cybercriminals,” U.S. Attorney Philip Sellinger said at the news conference.
Authorities said they also seized servers that the gang used to organize and transfer victim data, and gained access to nearly 1,000 potential decryption tools. They also obtained the Lockbit platform’s source code and a trove of intelligence on people the gang worked with.
LockBit, which has been operating since 2019, has been the most prolific ransomware syndicate two years running. The group accounted for 23% of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks.
The operation is “probably the most significant ransomware disruption to date,” Analyst Brett Callow of the cybersecurity firm Emsisoft said. And while it will likely spell the end of the brand, such groups routinely rebrand and re-emerge under new names. Over the long term, Callow said, this operation alone will not diminish the volume of ransomware attacks.
A rare offensive cyber-operation for the U.K. crime agency, the operation aimed to steal all of LockBit’s data and then destroy its infrastructure, causing a “significant major degradation” of the cybercrime threat.
LockBit is dominated by Russian speakers and does not attack former Soviet nations. The syndicate provides clients with the platform and the malware to conduct attacks and collect ransoms.
Officials suggested that LockBit could have hundreds of members but there’s no evidence that a nation state such as Russia is behind the syndicate, Biggar said.
“These are criminals,” he said, although the lack of a Russian crackdown indicates that Moscow tolerates the gang’s activity.
LockBit has been linked to attacks on the U.K.’s Royal Mail, Britain’s National Health Service, airplane manufacturer Boeing, international law firm Allen and Overy and China’s biggest bank, ICBC.
“We have disrupted at every level the criminal operation of the LockBit ransomware group,” Europol’s Deputy Executive Director of Operations Jean-Philippe Lecouffe said at the news conference. “Today we have dealt a decisive blow not only to their operation, but also importantly, to their reputation.”
Cybersecurity experts wondered Tuesday how much detail law enforcement obtained in infiltrating LockBit’s infrastructure on affiliate negotiations with victims, including who quietly paid ransoms and how much. Influenced by specialty firms they hire to respond to attacks, victims generally resist admitting publicly that ransomware is to blame.
Officials told reporters the gang targeted 2,000 victims worldwide, including 200 in the U.K. Biggar said the numbers will be “significant underestimates.”
Last June, U.S. federal agencies released an advisory that attributed about 1,700 ransomware attacks in the United States since 2020 to LockBit and said victims included “municipal governments, county governments, public higher education and K-12 schools, and emergency services.”
Artur Sungatov and Ivan Kondratyev, the two indicted Russians, are accused of deploying LockBit against manufacturing companies in the U.S. and semiconductor businesses worldwide. Kondratyev allegedly used the ransomware against municipal and private targets in Oregon, Puerto Rico and New York and others victims in Singapore, Taiwan, and Lebanon while Sungatov allegedly deployed it against manufacturing, logistics and insurance companies in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.
Ransomware is the costliest and most disruptive form of cybercrime, crippling local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice. Law enforcement agencies have scored some recent successes against ransomware gangs, most notably the FBI’s operation against the Hive syndicate. But the criminals regroup and rebrand.
Britain’s National Cyber Security Centre has previously warned that ransomware remains one of the biggest cyber threats facing the U.K. and urges people and organizations not to pay ransoms if they are targeted.
____
Frank Bajak in Boston contributed to this report.