Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Law Enforcement Hacks LockBit Ransomware, Delivers Major Blow to Operation

The LockBit ransomware operation has been severely disrupted by an international law enforcement operation resulting in server seizures and arrests.

Lockbit ransomware takedown

The LockBit ransomware operation has been severely disrupted by an international law enforcement operation that involved the seizure of servers and several individuals getting arrested or charged.

LockBit domains currently display a seizure notice informing visitors that the site is controlled by law enforcement, specifically the UK’s National Crime Agency (NCA). The notice indicates that the takedown is the result of an international operation involving the FBI and law enforcement agencies in Canada, Australia, France, Germany, Switzerland, Sweden, Finland, the Netherlands, and Japan, as well as Europol.

“We can confirm that LockBit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation,” reads a message posted on the seized domains.

According to Europol, the operation resulted in two arrests, more than 200 cryptocurrency accounts being frozen, the takedown of 34 servers, and the closure of 14,000 rogue accounts. In addition, the law enforcement agency said “technical infrastructure that allows all elements of the LockBit service to operate” and leak websites have been taken over.

“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities,” Europol said.

The two arrested individuals are located in Poland and Ukraine. In addition, three international arrest warrants and five indictments have been issued by authorities in France and the United States. 

The US said it charged two alleged LockBit ransomware affiliates who have been taken into custody and await extradition, and unsealed indictments against two Russian nationals accused of conspiring to launch cyberattacks.

In its own press release, the NCA said it has “taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks”. The NCA has also obtained 1,000 decryption keys that will enable organizations to recover encrypted data.

Advertisement. Scroll to continue reading.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said NCA Director General Graeme Biggar.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity,” Biggar added. “Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate.”

Cybersecurity research and threat intelligence project Vx-Underground reported on X (formerly Twitter) that the law enforcement operation appears to have targeted “every single known Lockbit ransomware group website”, with at least 22 Tor sites being offline or displaying the seizure message. 

Vx-Underground claims to have obtained confirmation of the takedown from LockBit’s administrative staff, with the cybercriminals claiming that law enforcement exploited a PHP remote code execution vulnerability tracked as CVE-2023-3824 to take control of its systems. 

However, the hackers claimed only servers using PHP were compromised by the FBI, but backup servers not using PHP were allegedly not impacted. 

Vx-Underground also reported that when LockBit affiliates log into the ransomware panel, they are greeted by a message informing them that the LockBit platform is under the control of law enforcement, with investigators having obtained information such as source code, victim information, ransom amounts, and data stolen from targets.

“You can thank LockBitSupp [the leader of the LockBit operation] and their flawed infrastructure for this situation…we may be in touch with you very soon,” reads the message to LockBit ransomware affiliates. 

LockBit has been the most active ransomware group in recent months, targeting hundreds of organizations and causing losses totaling billions since the start of the cybercrime operation. 

In June 2023, the US government reported that organizations in the country had paid $91 million to the LockBit gang. 

The list of high-profile organizations targeted by LockBit includes Infosys McCamish System (impacting Bank of America), fast food chain Subway, Foxconn subsidiary Foxsemicon, hospital system Capital Health, Freight shipping giant Estes Express Lines, Boeing, and chip giant  Taiwan Semiconductor Manufacturing Company (TSMC).  

Several major cybercrime enterprises have been targeted in international law enforcement operations over the past year, including ransomware such as RagnarLocker, Hive, and BlackCat, as well as other types of malware, such as the NetWire RAT.

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: US Offers $10M Reward for Information on Hive Ransomware Leaders

Related: Ransomware Payments Surpassed $1 Billion in 2023: Analysis

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Ransomware

Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.