In a coordinated effort between the FBI and UK authorities, an aggressive blow has been dealt to the infamous LockBit ransomware group. The latest development in the ongoing battle against cybercrime sees LockBit seizure by law enforcement authorities and the taking down of the 22 data leak websites associated with the threat actor.
Users attempting to access the LockBit site are now met with a message indicating its takeover by the UK’s National Crime Agency (NCA), working in tandem with the FBI and the international law enforcement task force, Operation Cronos. This joint operation marks a milestone in the fight against cyber threats, particularly those posed by ransomware groups like LockBit.
However, the threat actor seems to have taken a sophisticated turn and has released a notification letter about the LockBit takedown, notifying the users about the incident and the next set of steps it is going to take.
The LockBit Domain Takedown: Details About the ‘Operation Cronos’
The LockBit takedown operation, involving law enforcement agencies from 11 different countries, has resulted in the seizure of 11,000 domains associated with LockBit and its affiliates. This move aims to disrupt the group’s infrastructure and dismantle its ransomware deployment system, a critical step in curbing its nefarious activities.
Upon accessing the website, instead of the usual data breach content, users can now see the message, “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’, being displayed on the screen.
The LockBit ransomware group is notorious for encrypting files on victims’ computers and demanding payment for their release, a practice that has caused havoc across various sectors globally. Affiliates recruited by LockBit employ the group’s tools and infrastructure to carry out these attacks, with LockBit taking a share of the ransom proceeds.
Participating countries in this coordinated action include Canada, France, Japan, Switzerland, Germany, Australia, Sweden, the Netherlands, and Finland, demonstrating the international scale of the effort against cybercrime.
The Technical Side of the LockBit Seizure: Multiple Facets
Law enforcement agencies, including EUROPOL, the FBI, the National Crime Agency of the UK, and the Operation Cronos Law Enforcement Task Force, have initiated the LockBit takedown with at least 22 Tor sites associated with Lockbit have been affected in what is termed ‘Operation Cronos.’
Notifications on the seized websites read, “Hello Law Enforcement has taken control of Lockbit’s platform and obtained all the information held on there. This information relates to the Lockbit group and you, their affiliate.”
The Lockbit ransomware group’s administrative staff confirmed the seizure, with messages disseminated via Tox and other channels, citing the compromise of their servers through a PHP vulnerability (CVE-2023-3824), reported vx-underground on X (previously Twitter)
Affiliates attempting to access the LockBit panel are greeted with notices indicating law enforcement control over the platform, with warnings of extensive data acquisition, including victim details, extortion amounts, stolen data, chats, and more.
The compromise is attributed to the exploitation of the aforementioned PHP vulnerability, leading to memory corruption or remote code execution. This coordinated effort by law enforcement agencies highlights their commitment to combating cybercrime and disrupting ransomware operations.
The Response to LockBit Takedown
In response to the LockBit seizure, the ransomware group has shared a letter through a mass broadcast on Tox. A notification letter, titled “Important Security Notice from Lockbit – Action Required,” was disseminated to affiliates outlining the situation. The letter highlights the unauthorized access detected by LockBit’s team, allegedly perpetrated by the NCA group.
The breach potentially compromised personal data such as names, email addresses, and encrypted passwords, though no evidence suggests access to financial information or social security numbers. In response, LockBit has heightened security measures, initiated an investigation with “operators and cybercriminals”, and offered affected individuals 12 months of complimentary credit monitoring.
Affiliates are advised to reset passwords, enable multi-factor authentication, and monitor accounts for any suspicious activities. For further assistance, individuals are directed to contact LockBit’s customer support through email and phone.
The Impact of LockBit Ransomware Group
LockBit’s impact has been felt worldwide, with statistics revealing its prominence in ransomware incidents across different regions. According to CISA, In Australia, for instance, LockBit accounted for 18% of reported ransomware incidents from April 2022 to March 2023, while in Canada, it was responsible for 22% of such incidents in 2022.
New Zealand reported 15 instances of LockBit ransomware in 2022, representing 23% of all ransomware reports received by CERT NZ. Similarly, in the United States, LockBit attacks accounted for 16% of ransomware incidents affecting state, local, tribal, and tribunal governments in 2022. LockBit’s rise to infamy as one of the most deployed ransomware variants highlights the need for international cooperation in combating cyber threats.
The recent takedown operation marks a significant victory in this ongoing battle, but it also highlights the continued challenges posed by ransomware groups operating with impunity on the internet. As law enforcement agencies continue their efforts to dismantle such criminal networks, cybersecurity remains a pressing concern for organizations worldwide.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.