Four arrested, LockBit victims to receive data recovery aid after UK, US, and Europe joint operation
The UK’s National Crime Agency announced that they now have control over LockBit ransomware group’s “command and control” system. This came after seizing the gang’s website in a global operation. Data recovered from the hackers has resulted in four arrests. Authorities plan to use this technology to reveal the group’s activities.
A joint operation involving the NCA, FBI, Europol, and several international police agencies was disclosed through a post on LockBit’s website. The post stated, “This site is now under the control of the UK’s National Crime Agency, in collaboration with the FBI and the international law enforcement task force Operation Cronos.”
Europol reported that two main actors of LockBit were arrested in Poland and Ukraine, while two additional defendants, believed to be affiliates, were arrested and charged in the US. Two other individuals, identified as Russian nationals, remain at large. Authorities have also frozen over 200 cryptocurrency accounts associated with the criminal organization.
The disruption to LockBit’s operation is more extensive than initially disclosed. In addition to seizing control of the public-facing website, the NCA also took over LockBit’s main administration environment. This infrastructure enabled the group to manage and deploy the technology used to extort businesses and individuals globally.
Graeme Biggar, the NCA’s director general, stated, “Through our close collaboration, we have countered the hackers by taking control of their infrastructure, seizing their source code, and obtaining keys to help victims decrypt their systems. As of today, LockBit is effectively locked out. We have significantly disrupted the group’s capabilities and, notably, its credibility, which relied on secrecy and anonymity.”
The organization is a pioneer of the “ransomware as a service” model. This model involves outsourcing target selection and attacks to a network of semi-independent “affiliates,” who are provided with tools and infrastructure. In return, the organization takes a commission on the ransoms.
In addition to encrypting data and demanding payment for the decryption key, LockBit also copied stolen data and threatened to publish it unless the ransom was paid. They promised to delete the copies upon receiving payment.
However, the NCA found that this promise was not upheld. Some of the data found on LockBit’s systems belonged to victims who had already paid the ransom.
Home Secretary James Cleverly remarked, “The NCA’s exceptional expertise has dealt a significant blow to those responsible for the most prolific ransomware strain globally.”
The operators of LockBit are sophisticated and highly organized criminals, yet they have not been able to evade UK law enforcement and our international partners.
The “hack back” initiative also retrieved over 1,000 decryption keys intended for LockBit attack victims. Authorities will contact these victims to assist them in recovering their encrypted data.
In a recent blog post, former National Cyber Security Centre chief Ciaran Martin highlighted that the involvement of Russian hackers in cybercrime undermines many standard law enforcement tactics. He cautioned, “We should impose costs when possible: there are actions we can take to disrupt cybercriminals. However, this will not be a long-term strategic solution as long as Russia continues to provide a safe haven.”
