The LockBit ransomware operation has been severely disrupted by an international law enforcement operation that involved the seizure of servers and several individuals getting arrested or charged.
LockBit domains currently display a seizure notice informing visitors that the site is controlled by law enforcement, specifically the UK’s National Crime Agency (NCA). The notice indicates that the takedown is the result of an international operation involving the FBI and law enforcement agencies in Canada, Australia, France, Germany, Switzerland, Sweden, Finland, the Netherlands, and Japan, as well as Europol.
“We can confirm that LockBit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation,” reads a message posted on the seized domains.
According to Europol, the operation resulted in two arrests, more than 200 cryptocurrency accounts being frozen, the takedown of 34 servers, and the closure of 14,000 rogue accounts. In addition, the law enforcement agency said “technical infrastructure that allows all elements of the LockBit service to operate” and leak websites have been taken over.
“At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities,” Europol said.
The two arrested individuals are located in Poland and Ukraine. In addition, three international arrest warrants and five indictments have been issued by authorities in France and the United States.
The US said it charged two alleged LockBit ransomware affiliates who have been taken into custody and await extradition, and unsealed indictments against two Russian nationals accused of conspiring to launch cyberattacks.
In its own press release, the NCA said it has “taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks”. The NCA has also obtained 1,000 decryption keys that will enable organizations to recover encrypted data.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said NCA Director General Graeme Biggar.
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity,” Biggar added. “Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate.”
Cybersecurity research and threat intelligence project Vx-Underground reported on X (formerly Twitter) that the law enforcement operation appears to have targeted “every single known Lockbit ransomware group website”, with at least 22 Tor sites being offline or displaying the seizure message.
Vx-Underground claims to have obtained confirmation of the takedown from LockBit’s administrative staff, with the cybercriminals claiming that law enforcement exploited a PHP remote code execution vulnerability tracked as CVE-2023-3824 to take control of its systems.
However, the hackers claimed only servers using PHP were compromised by the FBI, but backup servers not using PHP were allegedly not impacted.
Vx-Underground also reported that when LockBit affiliates log into the ransomware panel, they are greeted by a message informing them that the LockBit platform is under the control of law enforcement, with investigators having obtained information such as source code, victim information, ransom amounts, and data stolen from targets.
“You can thank LockBitSupp [the leader of the LockBit operation] and their flawed infrastructure for this situation…we may be in touch with you very soon,” reads the message to LockBit ransomware affiliates.
LockBit has been the most active ransomware group in recent months, targeting hundreds of organizations and causing losses totaling billions since the start of the cybercrime operation.
In June 2023, the US government reported that organizations in the country had paid $91 million to the LockBit gang.
The list of high-profile organizations targeted by LockBit includes Infosys McCamish System (impacting Bank of America), fast food chain Subway, Foxconn subsidiary Foxsemicon, hospital system Capital Health, Freight shipping giant Estes Express Lines, Boeing, and chip giant Taiwan Semiconductor Manufacturing Company (TSMC).
Several major cybercrime enterprises have been targeted in international law enforcement operations over the past year, including ransomware such as RagnarLocker, Hive, and BlackCat, as well as other types of malware, such as the NetWire RAT.
Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders
Related: US Offers $10M Reward for Information on Hive Ransomware Leaders
Related: Ransomware Payments Surpassed $1 Billion in 2023: Analysis