The LockBit ransomware crew that was behind some of the most significant cyber incidents of recent years, most famously the January 2023 attack on Royal Mail, has been taken down and its infrastructure seized in a global police sting spearheaded by the UK’s National Crime Agency (NCA).
At the time of writing, precise details of the nature of the action, dubbed Operation Cronos, are scant pending an official press conference to be held on the morning of Tuesday 20 February. However, the NCA has confirmed via email that it had conducted a “significant international operation” against the ransomware operator.
Other operations involved include the US’ FBI, and agencies from Australia, Canada and Japan, and various European Union (EU) states working through Europol.
A notice posted to the LockBit gang’s dark web leak site reads: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos.
“We can confirm that LockBit’s services have been disrupted as a result of international law enforcement action – this is an ongoing and developing operation.”
Reporters at Bleeping Computer have additionally confirmed that the sites used by LockBit to ‘negotiate’ with its victims are also down, although other elements of the gang’s operation do appear to be running.
Early reaction
SecureWorks Counter Threat Unit vice president Don Smith, who pursues ransomware gangs for a living, described the takedown as “fantastic”.
“In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator. It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations,” said Smith.
“To put today’s takedown into context, based on leak site data, LockBit had a 25% share of the ransomware market. Their nearest rival was BlackCat at around 8.5% and after that it really starts to fragment. LockBit dwarfed all other groups and today’s action is highly significant.”
Smith added: “LockBit’s affiliates allegiances with the group were already fickle and so whilst some may be dissuaded, unfortunately many will likely align with other criminal organisations.”
Described by the National Cyber Security Centre (NCSC) as an “enduring threat”, LockBit first emerged in early 2020 and by 2022 had risen to become one of the most active ransomware-as-a-service operations worldwide.
Besides Royal Mail, other prominent targets included software firm Advanced, through which it disrupted NHS services, and more recently Boeing and other victims that it targeted through the Citrix Bleed vulnerabilities.
Innovative, quick-thinking and media-savvy as ransomware gangs go, LockBit proved adept at attracting affiliates with a simple, point-and-click ransomware interface and attractive payment terms for its low-level cyber criminal affiliates.
It also sought and received attention for its publicity-generating stunts, which included paying people to get LockBit tattoos, and offering a $1m prize fund for anybody who managed to dox its lead operator. It even ran its own in-house bug bounty programme.
This is a breaking news story. Coverage will continue on Tuesday 20 February.