The National Crime Agency (NCA) today, Tues. Feb. 20, revealed details of an international disruption campaign targeting LockBit, the world’s most harmful cyber -crime group.
After infiltrating the group’s network, the NCA too control of LockBit’s services, compromising their entire criminal enterprise.
4 Years
LockBit have been in operation for 4 years & during that time, attacks using their ransomware were prolific. LockBit ransomware attacks targeted 1000s of victims worldwide, including the UK, & caused losses of billions of pounds, dollars & euros, both in ransom payments & in the costs of recovery.
The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates,’ supplying them with the tools & infrastructure required to conduct attacks.
Stolen
When a victim’s network was infected by LockBit’s malicious software, their data was stolen & their systems encrypted. A ransom would be demanded in cryptocurrency for the victim to decrypt their files & prevent their data from being published.
The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build & conduct attacks, & the group’s public-facing leak site on the dark web, on which they previously hosted, & threatened to publish, data stolen from victims.
Instead, this site will now host a series of information exposing LockBit’s capability & operations, which the NCA will be posting daily throughout the week.
Source Code
The Agency has also obtained the LockBit platform’s source code & a vast amount of intelligence from their systems about their activities & those who have collaborated with them & used their services to harm organisations throughout the world.
Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat players, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.
FBI
The NCA, working closely with the FBI, & supported by international partners from 9 other countries, have been secretly investigating LockBit as part of a dedicated taskforce called Operation Cronos.
LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. This infrastructure, based in 3 countries, has been seized by members of the Op Cronos taskforce, & 28 servers belonging to LockBit affiliates have also been taken down.
The technical infiltration & disruption is only the beginning of actions against LockBit & their affiliates. In wider action co-ordinated by Europol, 2 LockBit players were arrested this morning in Poland & Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.
US Dept. of Justice
The US Dept. of Justice has announced that 2 defendants responsible for using LockBit to conduct ransomware attacks have been criminally charged, are in custody, & will face trial in the US.
The US has also unsealed indictments against 2 further individuals, who are Russian nationals, for conspiring to commit LockBit attacks.
As a result of their work, the NCA & international partners can assist LockBit victims. The Agency obtained over 1,000 decryption keys & will be contacting UK-based victims in the coming days & weeks to offer support & help them recover encrypted data.
Europol
FBI & Europol will be supporting victims elsewhere.
National Crime Agency Director General, Graeme Biggar commented: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber -crime group. It shows that no criminal operation, wherever they are, & no matter how advanced, is beyond the reach of the Agency & our partners.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, & obtained keys that will help victims decrypt their systems.
Locked Out
“As of today, LockBit are locked out. We have damaged the capability & most notably, the credibility of a group that depended on secrecy & anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, & how they operate. We are tenacious & we will not stop in our efforts to target this group & anyone associated with them.”
Home Secretary James Cleverly commented: “The National Crime Agency’s world leading expertise has delivered a major blow to the people behind the most prolific ransomware strain in the world.
Highly Organised
“The criminals running LockBit are sophisticated & highly organised, but they have not been able to escape the arm of UK law enforcement & our international partners.
“The UK has severely disrupted their sinister ambitions & we will continue going after criminal groups who target our businesses and institutions.”
US Attorney General Merrick B. Garland outlined: “For years, LockBit associates have deployed these kinds of attacks again & again across the US & worldwide. Today, US & UK law enforcement are taking away the keys to their criminal operation.
Decrypt
“And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems & regain access to their data. LockBit is not the 1st ransomware variant the US Justice Dept. & its international partners have dismantled. It will not be the last.”
FBI Director Christopher A. Wray explained: “Today, the FBI & our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the most prolific ransomware variants across the globe.
Critical Infrastructure
“Through years of innovative investigative work, the FBI & our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure & other public & private organisations around the world.
This operation demonstrates both our capability & commitment to defend our nation’s cyber-security & national security from any malicious actor who seeks to impact our way of life.
We will continue to work with our domestic & international allies to identify, disrupt, & deter cyber threats, & to hold the perpetrators accountable.”
Tackling Cybercrime
The NCA leads the UK law enforcement response to tackling cybercrime, disrupting offenders where possible by enabling criminal justice outcomes, & also through a broad range of other means including online disruption, sanctions, travel bans, & collaborating with partners like NCSC to ensure technology is secure & safe by design.
The NCA’s National Cyber Crime Unit also works with a network of Regional Cyber Crime Units based in the 9 Regional Organised Crime Units (ROCU) of England & Wales. This operation developed from work by the SW ROCU & continues to be supported by personnel there.
Public Engagement
Public engagement is key to this response, so it is vital that organisations report if they are the victim of a ransomware attack. The earlier people report, the quicker the NCA & partners are able to assess new methodologies & limit the damage they can do to others.
If you are in the UK, you should use the Govt’s Cyber Incident Signposting Site as soon as possible for direction on which agencies to report your incident to.
