LockBit’s website has been seized and its ransomware operations disrupted by international law enforcement agencies. Under the auspices of “Operation Cronos,” a joint investigation by 11 separate law enforcement services, the site now appears to be under the control of the UK’s National Crime Agency (NCA) and the US Federal Bureau of Investigation. The latter also encouraged previous LockBit victims to get in touch via a dedicated website to determine whether or not their systems can be decrypted using the data seized in the law enforcement operation.
“The NCA has taken control of LockBit’s primary administration environment, which enables affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims,” read a statement posted by the agency earlier today. “Instead, this site will now host a series of information [bulletins] exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.”
LockBit appear to have been undermined by PHP exploit
The NCA also claims to obtained the source code of LockBit’s platform, as well as reams of intelligence about their prior activities and affiliates. “Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” it continued.
BleepingComputer, LockBit’s ancillary ransom negotiation sites are also down, though websites used to send private messages to members of the gang and host data were online at the time of writing. If the statements of the assumed ringleader of the cybercriminal enterprise ‘LockbitSupp’ on the Tox messaging service are to be believed, then the gang’s operations were disrupted by a PHP exploit deployed by the FBI. This was seemingly confirmed by the NCA, which claimed that 28 servers belonging to LockBit affiliates had been taken down by members of Operation Cronos. However, ‘LockbitSupp’ added that “[b]ackup servers without PHP can’t be touched.”
LockBit’s affiliate panel also appears to have been seized by members of Operation Cronos, along with victim information and internal groupchats. “You can thank Lockbitsupp and their flawed infrastructure for this situation,” reads a message from law enforcement agencies posted on the panel. “[W]e may be in touch with you very soon.” The Department of Justice additionally revealed that two Russian nationals had been charged in New Jersey for deploying LockBit ransomware against corporations throughout the US.
“Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of LockBit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes,” wrote US Attorney Philip R. Sellinger in a statement published earlier today. “And, even with today’s disruption of LockBit, we will not stop there. Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership — from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”
Gang notorious for double extortion methods
LockBit was first observed by cybersecurity researchers in September 2019. According to Blackberry, it primarily targets SMEs, buying access to compromised networks or else breaking into companies by exploiting unpatched vulnerabilities, among other methods. Once inside a company’s systems, LockBit hackers begin acquiring information about the network and attempt to establish control over it before issuing their ransom demands. These usually involve two forms of extortion: forcing the victim to pay a ransom to reacquire their data, and then an additional fee to prevent it being published on one of LockBit’s victim sites.
LockBit has also proven adept at wreaking havoc at major corporations and public institutions. In summer 2022, the group’s malware was used to cripple the NHS’ 111 helpline. The following year, Lockbit also hacked the Japanese port of Nagoya, semiconductor giant TSMC and Varian Medical Systems. In the latter case, the gang threatened to leak confidential medical data belonging to cancer patients if their ransom demands were not met.
Operation Cronos will have struck a serious blow against LockBit, said Netwrix’s Field CISO EMEA and vice-president of security research Dirk Schrader. “The operation penetrated deep into the network behind LockBit and tried to uproot much if not all the elements in the Lockbit supply chain, as the notes left for crooks logging in to the platform indicate,” said Schrader. “That approach increases the chances that Lockbit will not resurface again, unlike other ransomware platforms recently, like Trickbot and ALPHV. Only time can tell whether this will be true.”