London — Law-enforcement agencies have infiltrated and disrupted Lockbit, a prolific ransomware syndicate behind cyberattacks around the world, Britain’s National Crime Agency (NCA) said Tuesday.
The agency said it led an international operation targeting LockBit, which provides ransomware as a service to so-called affiliates who infect victim networks with the computer-crippling malware and negotiate ransoms. The group has been linked to thousands of attacks since 2019.
Hours before the announcement, the front page of LockBit’s site was replaced with the words “this site is now under control of law enforcement,” alongside the flags of the U.K., the U.S. and several other nations.
Handout via Reuters
The message said the website was under the control of the U.K.’s National Crime Agency “working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos.”
It says it is an “ongoing and developing operation” that also involves agencies from Germany, France, Japan, Australia, New Zealand and Canada, among others, including Europol.
LockBit, which has been operating since 2019, has been the most prolific ransomware syndicate for two years running. The group accounted for 23% of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks.
A rare offensive cyber-operation for the U.K. crime agency, the operation aimed to steal all of LockBit’s data and then destroy its infrastructure, causing a “significant major degradation” of the cybercrime threat.
U.S. Attorney General Merrick Garland is quoted in a Justice Department announcement as saying, “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation.
“And we are going a step further — we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last.”
LockBit is dominated by Russian speakers and does not attack former Soviet nations. The syndicate provides clients with the platform and the malware to conduct attacks and collect ransoms.
It has been linked to attacks on the U.K.’s Royal Mail, Britain’s National Health Service, airplane manufacturer Boeing, international law firm Allen and Overy and China’s biggest bank, ICBC.
Last June, U.S. federal agencies released an advisory that attributed about 1,700 ransomware attacks in the United States since 2020 to LockBit and said victims included “municipal governments, county governments, public higher education and K-12 schools, and emergency services.”
An NCA official called LockBit “the Instagram or Rolls-Royce” of ransomware and said the aim of the operation was to discredit the syndicate and “obliterate their reputation.”
“Attacking the brand is as important as attacking the infrastructure,” said an NCA official, adding that the goal of the operation was to “sow distrust amongst all the criminal users, shatter their credibility.”
Ransomware is the costliest and most disruptive form of cybercrime, crippling local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice. Law enforcement agencies have scored some recent successes against ransomware gangs, most notably the FBI’s operation against the Hive syndicate. But the criminals regroup and rebrand.
Britain’s National Cyber Security Centre has previously warned that ransomware remains one of the biggest cyber threats facing the U.K. and urges people and organizations not to pay ransoms if they are targeted.