Lockbit: How A Global Police Operation Just Took Down a Notorious Ransomware

For the last four years, the LockBit ransomware group has been on an unrelenting rampage, hacking into thousands of businesses, schools, medical facilities, and governments around the world—and making millions in the process. A children’s hospital, Boeing, the UK’s Royal Mail, and sandwich chain Subway have all been recent victims.

But LockBit’s hacking campaign has come to a juddering halt. A sweeping law enforcement operation, led by police at the UK’s National Crime Agency (NCA) and involving investigators from 10 forces around the world, has infiltrated the ransomware group and taken its systems offline.

Graeme Biggar, the director general of the NCA, says the group has been “fundamentally disrupted.” The law enforcement operation, called “Operation Cronos,” has taken control of LockBit’s infrastructure and administration system, seized its dark web leak site, accessed its source code, seized around 11,000 domains and servers, and obtained details of the group’s members. “As of today, LockBit is effectively redundant,” Biggar said at a press conference in London, appearing with law enforcement officials from the FBI and Europol. “We have hacked the hackers,” he says.

The action is one of the largest, and potentially most significant, ever taken against a cybercrime group. Biggar says the law enforcement officials consider LockBit, which is global in nature, to have been the “most prolific and harmful” ransomware group that has been active in recent years. It was responsible for 25 percent of attacks in the last year. “LockBit ransomware has caused losses of billions,” Biggar says of the overall costs of attacks and recovery.

As well as the seizing of technical infrastructure, the law enforcement operations around LockBit also include arrests in Poland, Ukraine, and the United States and sanctions for two alleged members of the group who are based in Russia. The group has members spread around the world, the officials said.

Nicole M. Argentieri, acting assistant attorney general at the US Department of Justice, says LockBit has received more than $120 million in ransomware payments and the action announced against the group is just the start of the clampdowns.

The law enforcement action against LockBit was first revealed when its ransomware website dropped offline on February 19 and was replaced by a holding page saying it had been seized by police. The LockBit group, which debuted as “ABCD” before changing its name, first appeared at the end of 2019. Since then LockBit has rapidly attacked businesses and grown its name recognition within the cybercrime ecosystem. “LockBit has been a thorn in the side of businesses and governments for years, with well over 3,000 publicly known victims and [has been] seemingly untouchable,” says Allan Liska, an analyst specializing in ransomware for cybersecurity firm Recorded Future. Lockbit’s long roster of victims include various US government organizations, ports, and automotive companies.

LockBit operates as a “ransomware-as-a-service” operation, with a core handful of members creating its malware, and running its website and infrastructure. This core group licenses its code to “affiliates” who launch attacks against companies, steal their data, and try to extort money from them. “LockBit is the last of the “open affiliate” ransomware-as-a-service offerings, meaning anyone willing to cough up the cash can join their program with little or no vetting,” Liska says. “They likely have had hundreds of affiliates over the course of their run.”