LockBit disrupted by international law enforcement task force

On Monday afternoon, LockBit’s leak site has been taken over by a coalition of law enforcement agencies and is showing a seizure notice that promises more details today, at 11:30 GMT.

LockBit law enforcement

“This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” the notice says.

“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”

Simultaneously, according to VX-underground, LockBit affiliate accessing the LockBit panel are faced with another message from the Operation Cronos task force:

“Law Enforcement has taken control of Lockbit’s platform and obtained all the information held on there. This information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation.. we may be in touch with you very soon.”

The action comes two months after a similar law enforcement action has been executed to disrupt the sites of the ALPHV/Blackcat ransomware gang. At the time, the FBI released a decryptor for victims to use.

Down, but likely not out

William Wright, CEO of Closed Door Security, says that LockBit is the most prolific ransomware gang to ever have existed and it was responsible for devastating attacks on hundreds of businesses, including the Royal Mail, so it’s not surprising the UK’s NCA wanted to feature so heavily in this disruption.

“LockBit not only carried out attacks by its operators, but it also ran a ransomware-as-a-service (RaaS) infrastructure which could be rented out by its affiliates to launch attacks. It could be said that LockBit was largely responsible for the growth of the ransomware industry today. Its affiliates saw big financial returns from the attacks, which undoubtedly made ransomware the attack-of-choice for many criminals and drew others to the industry,” he added.

“The one caveat to this takedown is that it may not spell absolute demise of LockBit. The attackers could resurface under new branding as we have seen with DarkSide to BlackMatter to BlackCat, and many others.”

Andy Kays, CEO of Socura, noted that LockBit’s takedown required the dedicated action of multiple countries and government agencies, which highlights the scale, importance, and complexity of the task.

“I expect that these agencies would have only acted when they knew with some certainty that they could hit them hard. However, the group still maintains that they have backup servers. At this stage, it’s always extremely difficult to know if a campaign like this will put a group out of action for good. This always depends on where the individuals are based, and if they are known to the authorities. We’ve seen time and time again, that the same individuals can re-emerge and re-group.”

Huseyin Can Yuceel, security researcher at Picus Security, pointed out that ransomware groups often leverage public-facing vulnerabilities and that Operation Cronos gave LockBit operators a taste of their own medicine.

“According to LockBit admins, the law enforcement agencies exploited PHP CVE-2023-3824 vulnerability to compromise LockBit’s public-facing servers and gain access to LockBit source code, internal chat, victims’ details, and stolen data,” he told Help Net Security.

“Although the LockBit group claims to have untouched backup servers, it is unclear whether they will be back online. Currently, LockBit associates are not able to login to LockBit services. In a Tox message, adversaries told their associates that they would publish a new leak site after the rebuild.”

UPDATE (February 20, 2024, 07:30 a.m. ET):

The UK National Crime Agency (NCA) and Europol have shared more information about the LockBit takedown.

Don't miss