Skip to content

LockBit Disruption

Bola Ogbara
Bola Ogbara Connect on LinkedIn
2 min. read

LockBit, the most pervasive ransomware group, was disrupted in a global operation, leading to arrests and decryption keys for victims. International collaboration continues to combat cyber threats effectively.

LockBit Disruption (1)

On February 20, 2024, international collaboration disrupted LockBit, the most prolific ransomware group in the world. According to researchers at Recorded Future they have been behind almost 2,300 cyber attacks since 2019, extorting over $120 million in ransom payments. While the majority of victims were from the United States, LockBit ransomware was levied internationally, with attacks spanning the whole globe (North America, Latin America and the Caribbean, Europe, Asia, Africa, and the Middle East). The group was notorious for their attacks on the healthcare industry, but their reach also disturbed many companies in manufacturing, construction, finances, IT, and law.


A press release from Europol explains how law enforcement from France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the UK, the US, and Switzerland (with support from Finland, Poland, New Zealand, and Ukraine) were able to target LockBit ransomware in the multi-year ‘Operation Cronos’. Lockbit ran under a ‘ransomware-as-a-service’ (RAAS) model, where one main group would create the malicious software and maintain its website. They would then license the code so affiliates (who would get around 75% of the ransom money) could launch attacks on the companies they targeted. 


By getting control of LockBit’s data leak site and the 34 servers used by Lockbit actors, Operation Cronos has blocked the cybercriminals from continuing their ransomware operations.  They also developed almost one thousand decryption keys for victims of LockBit ransomware, which victims may receive access to by contacting the FBI on a new site, and froze approximately 200 cryptocurrency accounts related to attacks. 


The National Crime Agency (NCA), a UK-based law enforcement organization, played a large role in the LockBit site takeover. The Agency was able to secure the source code and collect information about LockBit’s activities and their connections to victims and affiliates. They gained crucial intelligence, even learning that ransom payments did not result in the stolen data being deleted. 


And this is not the end of this investigation. The indictments of two Russian nationals, Artur Sungatov and Ivan Kondratyev, have been unsealed, and the Department of State is offering rewards totaling up to $15 million for any information about LockBit leaders and affiliates that could lead to their arrest. Already, three affiliates, including a father-and-son team, have been arrested in Poland and Ukraine. 


Regarding this operation, the Director of the FBI, Christopher A. Wray said that “the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world…We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable.” The FBI, in collaboration with the Department of Justice, has already made impressive strides in the fight against cybercrime. Last year they were the main players in the takedown of Qakbot and Hive

More recently, international cooperation was also able to disrupt Volt Typhoon, which had impacted the operations of several US critical infrastructure organizations. As long as the FBI and the DOJ continue their cooperative disruption campaigns, cybercriminals should heed the warning from Brett Leatherman, FBI Cyber Deputy Assistant Director: “No matter where you are, and no matter how much you try to twist and turn to cover your tracks—your infrastructure, your criminal associates, your money, and your liberty are all at risk. And there will be consequences.”