LockBit, described by law enforcement officials “as one of the world’s most prolific ransomware gangs,” has been dismantled in a coordinated campaign involving officials in the United States, United Kingdom, and half a dozen other countries, multiple agencies announced today.
The U.S. Department of Justice unsealed an indictment against two Russian men, Artur Sungatov and Ivan Kondratyev, for carrying out LockBit attacks against U.S. companies. Sungatov allegedly hit manufacturers, insurance firms, and other companies across at least six states since January 2021.
“Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation,” U.S. Attorney General Merrick Garland said in the DOJ release. “And we are going a step further—we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”
Kondratyev, known online as “Bassterlord,” allegedly deployed the ransomware on targets ranging from city governments to corporations in Oregon, Puerto Rico, and overseas starting in August 2021.
The global scope of Operation Cronos to take down LockBit. Image: Europol
The Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Sungatov and Kondratyev, banning U.S. individuals and companies from doing business with them and freezing any assets under U.S. jurisdiction, and added nine Bitcoin and one Ethereum wallet addresses linked to them to the sanction list.
The months-long “Operation Cronos” resulted in the seizure of dozens of servers across Europe, North America, and Australia that were used to carry out LockBit’s ransomware attacks, which encrypted victims’ data and extorted them for payments, according to a Tuesday announcement from Europol.
Authorities also took control of the portal on the dark web where LockBit published sensitive data stolen from victims who refused to pay.
“We have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs,” said Europol Executive Director Catherine De Bolle in the statement.
“The first step to putting cybercriminals behind bars is to report cybercrime when it happens,” she added. “The earlier people report, the quicker law enforcement is able to assess new methodologies and limit the damage they can cause.”
What was LockBit?
LockBit first appeared in early 2020, using ransomware that encrypts victims’ files and locks them out of their networks unless they pay a ransom, usually in cryptocurrency. According to the indictment from the DOJ, payments were typically demanded in Bitcoin.
Like other “ransomware-as-a-service” gangs, LockBit operated through a core group of developers who created the malware tools and ran the infrastructure, then recruited affiliates to infect targets in exchange for a cut of the proceeds. LockBit’s developers maintained a dashboard that enabled affiliates to launch attacks with a few clicks.
In 2022, LockBit eclipsed other ransomware strains to become the most widely deployed in the world, according to Europol. The syndicate raked in over $120 million in ransom payments from more than 2,000 victims globally, according to the Justice Department, with total demands likely reaching the hundreds of millions.
LockBit gained notoriety for using “triple extortion,” threatening victims not just with encrypted data but also stolen information exposure and crippling denial-of-service attacks.
Authorities strike back
The “Operation Cronos” task force of law enforcement agencies from 10 countries was chipping away at LockBit for months. The turning point came with the seizure of dozens of command-and-control servers LockBit relied on to deploy ransomware and manage its operations. Authorities have now “taken control of the technical infrastructure that allows all elements of the LockBit service to operate,” according to Europol.
As a result, “more than 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal,” the agency stated.
In addition, French and U.S. officials have arrested or brought charges against a growing list of alleged LockBit members. Poland detained ransomware suspect Ivan Kondratiev in October 2022, while another Russian national was arrested in Ukraine.
Three international arrest warrants have been issued in connection with the recent offensive. French authorities also secured five indictments. Authorities have meanwhile frozen cryptocurrency wallets that LockBit members allegedly used for ransom payments.
“This underscores the commitment to disrupt the economic incentives driving ransomware attacks,” the DOJ said.
Helping victims recover
With control of LockBit’s systems, authorities have obtained decryption keys to help hundreds of victims regain access to their data.
“We are turning the tables on LockBit, providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe,” Deputy Attorney General Lisa Monaco said in the announcement.
Victims of LockBit attacks are encouraged to contact law enforcement through a Justice Department website to determine if their files can be decrypted.
These solutions have also been made available for free on the ‘No More Ransom’ portal, available in 37 languages. So far, more than 6 million victims across the globe have benefitted from No More Ransom, which contains over 120 solutions capable of decrypting more than 150 types of ransomware.
Monaco said the operation deals a major setback to one of the most aggressive ransomware groups, but would not be the last action against cyber criminals.
“Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership—from its developers and administrators to its affiliates,” said U.S. Attorney Philip Sellinger. “We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”
Edited by Andrew Hayward