LockBit Ransomware Gang's Operations Shut Down with Arrests and Indictments

The LockBit ransomware gang's illicit activities have been significantly disrupted with the recent announcement from the U.K. National Crime Agency (NCA). The NCA disclosed that it successfully acquired LockBit's source code and gathered intelligence regarding its operations and associated groups through Operation Cronos, a dedicated task force.

An important revelation from the NCA is that data found on LockBit's systems included information from victims who had already paid a ransom, contradicting the promises made by the criminals to delete such data. This underscores the risks associated with complying with ransom demands.

Further, the NCA confirmed the arrest of two individuals connected to LockBit in Poland and Ukraine. Additionally, over 200 cryptocurrency accounts linked to the group have been frozen, and indictments have been unsealed in the U.S. against two Russian nationals allegedly involved in LockBit attacks.

Artur Sungatov and Ivan Gennadievich Kondratiev, known as Bassterlord, have been accused of deploying LockBit against numerous victims, including businesses across various industries in the U.S. and globally. Kondratyev faces additional charges related to the use of the Sodinokibi (REvil) ransomware variant.

The recent actions come after an international effort to disrupt LockBit, described by the NCA as one of the most harmful cybercrime groups worldwide. As part of the operation, the agency took control of LockBit's services and infiltrated its entire criminal network, including affiliate administration environments and dark web leak sites.

Furthermore, 34 servers belonging to LockBit affiliates have been dismantled, and authorities have retrieved over 1,000 decryption keys from confiscated servers. LockBit, operating since late 2019, operates on a ransomware-as-a-service model, licensing encryptors to affiliates who execute attacks in exchange for a portion of the ransom.

LockBit's attacks involve double extortion tactics, where sensitive data is stolen before encryption, adding pressure on victims to pay to prevent data leakage. The group has also experimented with triple extortion, incorporating DDoS attacks alongside traditional ransom tactics.

Custom tools like StealBit facilitate data exfiltration, with authorities seizing infrastructure used for organizing and transferring victim data. According to Eurojust and the DoJ, LockBit attacks have affected over 2,500 victims worldwide, generating illicit profits exceeding $120 million.

NCA Director General Graeme Biggar emphasized the success of the collaborative effort in crippling LockBit's operations, highlighting the acquisition of crucial keys to aid victims in decrypting their systems. He also warned that while LockBit may attempt to rebuild, law enforcement agencies are aware of their identity and methods, indicating a significant blow to their credibility and capabilities.