International Law Enforcement Takes Down Notorious LockBit Ransomware Group

An international law enforcement operation led by the United Kingdom’s National Crime Agency (NCA) and the FBI have taken down the LockBit ransomware group, one of the most active ransomware groups in the world.

The LockBit ransomware group has targeted over 2,000 victims, received more than $120 million in ransom payments and made ransom demands totaling hundreds of millions of dollars.

International law enforcement disrupted LockBit’s operations by seizing numerous public-facing websites used by the group to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks, and extort victims by threatening to publish stolen data.

Additionally, the NCA, in cooperation with the FBI and international law enforcement partners, has developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant.

The U.S. Justice Department also unsealed an indictment charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California. 

Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption. As disclosed by those search warrants, those servers were used by LockBit administrators to host the “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victim data.

LockBit Ransomware Group's Capabilities Degraded

“Today, the FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the most prolific ransomware variants across the globe,” said FBI Director Christopher Wray. “Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure, and other public and private organizations around the world. This operation demonstrates both our capability and commitment to defend our nation's cybersecurity and national security from any malicious actor who seeks to impact our way of life. We will continue to work with our domestic and international allies to identify, disrupt and deter cyber threats, and to hold the perpetrators accountable.”

Toby Lewis, global head of threat analysis at Darktrace, said although a partial takedown of the world’s most prolific ransomware gang is a “huge win” for global law enforcement, it likely won’t be fatal for LockBit.

Darktrace's Toby Lewis

“It’s probable we’ll see them go underground to regroup, retool and come out again swinging,” he said. “One interesting aspect, however, is LockBit’s reputation. Their affiliate model means reputation matters and LockBit may struggle to retain credibility following this shutdown, even if they attempt a relaunch. They’ll likely do what any business would do — rebrand.

A lot of good will come from this takedown, Lewis said.

“Law enforcement have seized nearly 1,000 decryption keys, so I’m optimistic that many of the current victims will be able to unlock their data and systems, and in the longer term, they could go on to turn the affiliate model on itself, using chat logs and information from private forums to pursue, shut down and arrest LockBit’s network of affiliates,” he said.

Takedown 'Impressive and Significant' Achievement

Dov Lerner, security research lead at Cybersixgill, said the takedown of LockBit is an “impressive and significant achievement” by U.S. and UK law enforcement.

“It shows how once again, major ransomware groups have become victims of their own success,” he said. “To put it into context, ransomware is very similar to piracy (the skull-and-crossbones kind, not the Napster kind). That is, well-equipped, organized and sophisticated criminals have always sought to take a cut from international commerce in areas outside of national jurisdiction, whether on the open seas, in the Wild West or on the deep web. Sometimes losses from theft are just considered the cost of doing business. But when crime rises to intolerable levels, governments have intervened. When the cost of inaction outweighed the cost of action, navies were deployed against pirates and cavalry against wagon robbers.”

Over the last few years, ransomware groups have transformed from a nuisance into enterprises that have stolen hundreds of millions of dollars, and impacted businesses and critical infrastructure, Lerner said.

“This spurred governments and law enforcement agencies into action; instead of picking on vulnerable businesses, now ransomware groups are contending against the might and resources of the federal government, and many have lost that fight,” he said. “Today's announcement, therefore, is a victory for law enforcement efforts and welcome news for any business concerned by the threat of ransomware."

Lessons From Past Operations

Dirk Schrader, vice president of security research at Netwrix, said this operation to take down LockBit appears to have incorporated some lessons learned from past operations.

Netwrix's Dirk Schrader

“The operation penetrated deep into the network behind LockBit and tried to uproot much, if not all the elements in the LockBit supply chain, as the notes left for crooks logging in to the platform indicate,” he said. “That approach increases the chances that LockBit will not resurface again, unlike other ransomware platforms recently, like Trickbot and ALPHV. Only time can tell whether this will be true.”

Although it’s good news that the crypto money has been seized and two individuals have been arrested, it's not a sign that “we should lower our defenses,” Schrader said.

“There are still other gangs out there, there is still a lot of inconsistency between countries related to cyber crime, and there is still money in the game,” he said. “So, companies should not scale down their efforts to protect their data, identities and infrastructure. Heed the advice that an ounce of prevention is better than a pound of cure.”