Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
World
Saqib Shah

What is Lockbit? UK's National Crime Agency disrupts 'world’s most harmful cybercrime group'

The operations of “the world’s most harmful cybercrime group” have been infiltrated by law enforcement, leading to arrests and the seizure of stolen cyrptocurrency.

One of the biggest players in the shadowy world of ransomware, LockBit, supplied the tools used by malicious hackers in numerous high-profile extortion attacks worldwide. An international clampdown was in 2022 launched to dismantle its sprawling operation. This was the same year its eponymous tool became the most used ransomware in the world.

In a breakthrough, the UK’s National Crime Agency (NCA) said on Tuesday (February 20) that it had taken control of the group’s services, “comprising their entire criminal enterprise”.

Europol arrested two people involved with LockBit, while three international arrest warrants and five indictments were issued for others affiliated with the outfit.

Here’s what you need to know about the world’s most notorious cybercrime gang.

What is LockBit?

LockBit is a ransomware-as-a-service group that provides different versions of its software to cybercriminals, known as “affiliates”. These programs go by the names of abcd, LockBit 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green.

The group sells access to its software, which is used to compromise large computer networks. It then takes a cut of up to 75 per cent of the money paid back by victims in ransoms. In addition, it profits from an extortion tactic whereby its “affiliates” steal the data from major organisations and threaten to publish it online.

Based on the language used in its communications and the countries it targets, cybersecurity experts and law enforcement agencies strongly suspect LockBit operates primarily from Russia or a Russian-speaking country.

What attacks did LockBit carry out?

LockBit has had thousands of victims globally and more than 200 in the UK, including public service bodies such as hospitals.

In 2020, the company that makes Apple’s iPhones, Foxconn, suffered a LockBit ransomware attack that targeted a facility in Mexico. The following year, LockBit hit Accenture, a global consulting giant. It claimed to have stolen a massive amount of data and threatened to release it if the ransom wasn't paid. 

Then, in 2022, LockBit was used in a spate of ransomware attacks. Its victims included a digital security company called Entrust, automotive parts maker Continental, and Indian airline SpiceJet.

The group became renowned in the UK last year with attacks on a supplier of the Ministry of Defence and Royal Mail.

Is LockBit still active?

On Tuesday, the NCA said it had taken over a website used by LockBit to sell services. The site was overlaid with a message on Monday evening saying it was “now under the control of law enforcement”.

Director-general of the NCA, Graeme Biggar, said: “We have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”

US authorities have charged five Russians concerning LockBit, and two other suspects have been arrested in Poland and Ukraine. About 200 cryptocurrency accounts have also been frozen by investigators.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.