The world’s most harmful cybercrime group – LockBit – has had its infrastructure seized in a global law enforcement operation. Law enforcement agencies from 10 countries participated in Operation Chronos, which was led by the UK National Crime Agency (NCA) and was coordinated by Europol and Eurojust. Up until the takedown, Lockbit was the most prolific ransomware group in operation. The group has been active for 4 years and has targeted thousands of organizations globally. The U.S. Department of Justice reported today that the group has conducted more than 2,000 attacks since 2020 and has demanded hundreds of millions of dollars in ransoms, which must be paid to decrypt files and have the stolen data removed from the group’s data leak site. The group is known to have been paid at least $120 million in ransoms; however, the attacks conducted by the group have caused losses of billions of dollars.
The operation took down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom, the affiliate portal has been seized, as have the group’s Tor and data leak sites. More than 200 cryptocurrency wallets have also been seized, and around 1,000 decryption keys were recovered. A free decryptor has been developed to help victims recover their encrypted files which is available on the No More Ransom portal. More than 14,000 accounts associated with members of the group that were used to host stolen data, software, and the group’s tools have been seized and are currently being removed by law enforcement. The threat actor in charge of the operation, LockBitSupp, confirmed that the LockBit infrastructure was compromised by exploiting a critical PHP vulnerability, CVE-2023-3824, that was first disclosed in August 2023.
The core members of the LockBit ransomware operation remain at large; however, two affiliates were arrested in Poland and Ukraine and now await extradition to the United States to face trial, and three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities. The U.S. Department of State is offering a reward of up to $15 million for information about LockBit associates, including $10 million for information leading to the identification or location of any individual who holds a leadership role in the LockBit operation, and a reward of up to $5 million for information that leads to the arrest and/or conviction of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.
The affiliate portal has been seized and a note has been added for affiliates of the group from the NCA, FBI, Europol, and the Operation Cronos Law Enforcement Task Force. “Law enforcement has taken control of LockBit’s platform and obtained all the information on its servers. This information relates to the LockBit group and you, their affiliate. We have source code details of the victims you have attacked, the amount of money stolen, chats, and much, much more. You can thank LockBitSupp and their flawed infrastructure for this situation… we may be in touch with you very soon.” In a press release about the operation, Europol explained that a vast amount of data was gathered and is now in the possession of law enforcement. That information will support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure, and criminal assets linked to the group’s criminal activities.
The operation has caused major disruption to the group; however, most of the affiliates that conducted attacks remain at large and will likely switch to alternative ransomware-as-a-service operations. The core members of the group are believed to reside in states that tolerate ransomware activity and have no extradition treaties with Western countries, so those individuals are unlikely to face justice and may choose to rebuild and launch another ransomware operation under a different name; that said, the law enforcement operation has significantly damaged the reputation of the group, which may struggle to attract affiliates for future operations.