LockBit takedown: Infrastructure disrupted, criminals arrested, decryption keys recovered

In the wake of yesterday’s surprise law enforcement takeover of LockBit’s leak site, the UK National Crime Agency (NCA) and Europol have shared more information about the extent of the takedown.

“Today, after infiltrating the group’s network, the NCA has taken control of the infrastructure that allows the Lockbit service to operate, compromising their entire criminal enterprise and damaging their credibility,” the Agency said.

They’ve taken control of LockBit’s administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, which will be showing information exposing LockBit’s capability and operations.

“The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world.”

The successful LockBit takedown

Operation Cronos, involving officers from the NCA, the FBI, Europol and other law enforcement agencies, has led to:

• The arrest of two LockBit actors in Poland and Ukraine (they have been criminally charged and are to be extradited to the US to face trial)
• The indictment of two Russian nationals (for conspiring to commit LockBit attacks)
• The freezing of over 200 cryptocurrency accounts linked to the group
• The takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom (either belonging to the LockBit threat actors or to their affiliates)

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities,” Europol stated.

Decryption keys have been recovered

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners,” commented NCA Director Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

“With Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit Ransomware,” Europol said.

“These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages.”

The NCA has over 1,000 decryption keys and will be contacting UK-based victims to offer support and help them recover encrypted data. The FBI and Europol will do the same with victims in the US and other countries.

“Beginning today, victims targeted by this malware are encouraged to contact the FBI to enable law enforcement to determine whether affected systems can be successfully decrypted,” the US Justice Deaprtment shared.

UPDATE (February 11, 2024, 10:20 a.m. ET):

Trend Micro researchers revealed today that the LockBit RaaS operation was working on developing a new version of the ransomware. They’ve analyzed it and shared their findings.

Secureworks researchers have outlined the outfit’s tactics, techniques, and procedures gleaned from 22 compromises featuring LockBit ransomware its incident responders investigated from July 2020 through January 2024, and have shared recommendations for victims and potential victims.