LockBit: How an international operation seized control of ‘the world’s most harmful cybercrime group’

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Kate Whiting, Senior Writer, Forum Agenda

• The world’s ‘most harmful cyber group’, LockBit, has been disrupted by an international law enforcement task force called Operation Cronos.
• Led by the UK’s National Crime Agency and the US FBI, the operation has exposed the operations and capabilities of the group, and made two arrests.
• The World Economic Forum’s Cybercrime Atlas provides a platform for cybercrime investigators to generate actionable insights into cybercrime networks using open-source research.

An international task force of law-enforcement agencies from 10 countries, dubbed Operation Cronos, has disrupted the operations of the world’s most prolific ransomware group LockBit, responsible for high-profile cyber attacks on organizations across the globe.

In what Europol describes as a “significant breakthrough in the fight against cybercrime”, LockBit’s technical infrastructure and its public-facing leak site on the dark web was seized after a months-long operation.

On 19 February, Operation Cronos posted a message on the site that read:

“This site is now under the control of the National Crime Agency (NCA) of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.

“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”

On 20 February, the NCA published details of the operation – and replaced content on the LockBit website, which was used to host stolen data from victims, with an exposé on LockBit’s operations and capabilities, including decryption keys, news of two arrests and a $10 million reward for information on ‘LockBitSupp’, the gang’s alleged ringleader.

What Operation Cronos has achieved so far in taking down ransomware group LockBit. Image: Europol

NCA Director General Graeme Biggar said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

What do we know about LockBit?

LockBit has been operating since 2019, when it first called itself ‘ABCD’ ransomware, targeting thousands of victims around the world with ransomware attacks that have cost billions of dollars in terms of both ransom payments and recovery costs.

A ransomware attack is one where cybercriminals hack into your device, use malicious software (malware) to encrypt and steal information, preventing you from accessing it, and then threaten to leak that data unless you pay a ransom in cryptocurrency.

LockBit essentially offered ransomware services to its global network of hackers or ‘affiliates’, giving them the malware and platform to carry out these attacks and collect ransoms from thousands of victims globally.

Among the group’s most prominent victims were the UK’s Royal Mail, aeroplane maker Boeing, China’s biggest bank ICBC and law firm Allen & Overy.

In the US alone, around 1,700 attacks have been attributed to LockBit since 2020, including governments at city and county level, emergency services and schools.

Discover

How is the Forum tackling global cybersecurity challenges?

The World Economic Forum’s Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

• Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
• Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

What has Operation Cronos achieved?

The task force seized LockBit’s bespoke data exfiltration tool, Stealbit, which was based in three countries and used to steal data, as well as 28 servers belonging to the group’s affiliates, said the NCA.

Meanwhile, the EU’s law-enforcement cooperation organization, Europol, coordinated the arrest of two LockBit members in Poland and Ukraine and froze 200 cryptocurrency accounts linked to the group.

In the US, indictment charges against Russian nationals Artur Sungatov and Ivan Kondratyev, aka ‘Bassterlord’, for using LockBit against businesses globally, were unsealed by the Department of Justice.

Operation Cronos has also obtained more than 1,000 decryption keys, which can help victims recover their data.

The NCA’s Biggar said: “Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

What businesses can do to protect themselves

Cyber insecurity is the fourth biggest risk facing the world in the coming two years, according to the World Economic Forum’s Global Risks Report 2024, published in January. Moreover, Chainalysis reported this month that in 2023, ransomware payments globally exceeded $1 billion for the first time.

Yet there are steps businesses can take to protect themselves. Europol, for instance, regularly updates its tips to prevent ransomware infecting electronic devices, with a simple list of dos and don’ts and advice on what to do should a device become infected.

In addition, since 2020, the World Economic Forum’s Partnership Against Cybercrime has brought experts from the private sector and law enforcement together to develop recommendations that enhance public-private collaboration to counter cybercrime. Following on from these recommendations, in January 2023, the Forum launched the Cybercrime Atlas initiative to map and better understand the cybercriminal ecosystem.

The initiative provides a platform for cybercrime investigators to collaborate and generate new insights into cybercriminal networks using open-source research. The Cybercrime Atlas community is made up of organizations who have a key role in the fight against cybercrime and can use actionable findings from Cybercrime Atlas research to systematically disrupt cybercrime.

Have you read?

• Cybercrime and violent crime are converging: here’s how to deal with it