A notorious cyber crime group described by spies as the biggest ransomware threat to companies in Britain has been dismantled by law enforcers in an international operation spearheaded by the National Crime Agency.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said Graeme Biggar, the NCA’s director general,
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
Home Secretary James Cleverly said: “The National Crime Agency’s world leading expertise has delivered a major blow to the people behind the most prolific ransomware strain in the world.
“The criminals running LockBit are sophisticated and highly organised, but they have not been able to escape the arm of UK law enforcement and our international partners. “
LockBit had targeted thousands of organisations worldwide, ranging from the Royal Mail and the Food and Drink Federation in this country to international law firms and the aviation giant Boeing, by hacking sensitive data and demanding huge payments to stop it being leaked.
Its prolific activities prompted a warning last year from GHCQ’s National Cyber Crime Centre that the gang – led by Russian-speaking hackers – was “almost certainly the most deployed ransomware strain in the UK” and the “highest ransomware threat to UK organisations”.
But its website is now under the control of the National Crime Agency after a successful international operation to halt its criminal blackmailing involving the FBI, Europol and other international law enforcers. Two alleged members of LockBit, which the NCA said had cost businesses "billions of pounds, dollars and euros” in ransom payments and recovery costs, were arrested on Tuesday in Poland and Ukraine, and more cryptocurrency accounts linked to the group have been frozen.
Announcing the success the NCA’s Mr Biggar added: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.”
The US Department of Justice has also charged two suspects in custody accused of using LockBit to carry out ransomware attacks and unsealed indictments against two others, who are Russian nationals, for conspiring to commit LockBit attacks.
US Attorney General Merrick B. Garland said: “For years, LockBit associates have deployed attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation.”
The success comes more than four years after LockBit was first discovered in 2020 when its malicious software was found on Russian-language cybercrime forums. That has led to suspicion that it is a Russian backed entity, although the group has previously used its dark web site to claim that it was “located in the Netherlands, completely apolitical and only interested in money”.
Until it was taken under control by law enforcers, LockBit’s website displayed a list of victims with a digital clock alongside the name of each one giving the time it had left to pay the ransom to stop its hacked data being leaked.
Security analysts had assessed that it was responsible for around 25 per cent of all ransomware attacks, making it the largest criminal organisation involved in such hacking.US officials have previously echoed the analysis of UK law enforcers in describing LockBit as the biggest threat to its companies, saying that more than 1,700 had been hit by its ransomware attacks. The hacking group was understood to operate by allowing affiliated criminal gangs to use its hacking tools. “They are the Walmart of ransomware groups, they run it like a business–that’s what makes them different,” Jon DiMaggio, chief security strategist at Analyst1, US cybersecurity firm told the Reuters news agency. Don Smith, vice president of Secureworks, an arm of Dell Technologies, said LockBit "dwarfed all other [ransomware] groups" and that the success in halting its operations was "highly significant".
He added: " LockBit was the most prolific and dominant ransomware operator in a highly competitive underground market.“LockBit’s affiliates allegiances with the group were already fickle and so whilst some may be dissuaded, unfortunately many will likely align with other criminal organisations.”
As well as the NCA, the FBI and Europol, police from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany were involved in the operation against LockBit.