When law enforcement takes down what has been described as the biggest and longest-running ransomware-as-a-service (RaaS) criminal operation, it’s big news. Yesterday, LockBit3.0’s site was replaced with a seizure notice that indicated that LockBit and its infrastructure were now under law enforcement control.
In a press release this morning, the National Crime Agency (NCA) provided more details on LockBit and “Operation Cronos.”
The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.
One of the details they already revealed is that when they seized servers, they found data from victims who had already paid LockBit, “evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.”
The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.
The US Department of Justice has announced that two defendants responsible for using LockBit to carry out ransomware attacks have been criminally charged, are in custody, and will face trial in the US.
In coordination with Europol and the NCA, the U.S. Department of Justice issued a press release announcing they had unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries.
Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.
Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption. As disclosed by those search warrants, those servers were used by LockBit administrators to host the so-called “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victim data.
Decryptor Tool Available
The NCA also announced that with Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit Ransomware.
These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages.