Last updated on April 4th, 2024 at 09:57 am

Four people arrested, LockBit victims to receive data recovery assistance after joint operation in UK, US, and Europe

Law enforcement now holds the entire “command and control” infrastructure of the ransomware group LockBit, as revealed by the UK’s National Crime Agency. The agency seized the criminal gang’s website in a coordinated international operation.

The data recovered from the hackers has already resulted in four arrests, and authorities have pledged to repurpose the technology to expose the group’s operations globally.

The joint operation involved the NCA, the FBI, Europol, and a coalition of international police agencies. The news was announced on LockBit’s website, which now states: “This site is now under the control of the National Crime Agency of the UK, working closely with the FBI and the international law enforcement taskforce Operation Cronos.”

Europol reported that two individuals associated with LockBit were arrested in Poland and Ukraine, with two more, believed to be affiliates, arrested and charged in the US. Additionally, two Russian nationals, who are still at large, have been identified. Authorities have also frozen over 200 cryptocurrency accounts associated with the criminal organization.

The disruption to LockBit’s operation is more extensive than initially disclosed. Along with seizing control of the public-facing website, the NCA took over LockBit’s main administration environment. This infrastructure enabled the group to manage and deploy the technology used to extort businesses and individuals globally.

“Through our close collaboration, we have disrupted the hackers’ operations, gained control of their infrastructure, seized their source code, and acquired keys that will assist victims in decrypting their systems,” said Graeme Biggar, the NCA’s director general.

“LockBit is now effectively locked out. We have significantly impaired the group’s capability and, most importantly, its credibility, which relied on secrecy and anonymity.”

The organization is a trailblazer in the “ransomware as a service” model, where it delegates target selection and attacks to a network of semi-independent “affiliates,” providing them with tools and infrastructure in exchange for a commission on the ransoms.

In addition to traditional ransomware tactics, which involve encrypting data on infected devices and demanding payment for the decryption key, LockBit also engaged in data theft. The group would copy stolen data and threaten to publish it unless the ransom was paid, claiming to delete the copies upon receipt of payment.

However, the NCA discovered that this promise was false. Some of the data found on LockBit’s systems belonged to victims who had already paid the ransom.

Home Secretary James Cleverly commented, “The NCA’s unparalleled expertise has dealt a significant blow to the individuals responsible for one of the world’s most prolific ransomware strains.”

The operators of LockBit are sophisticated and highly organized, yet they have been apprehended by UK law enforcement and our international partners.

The “hack back” initiative also retrieved over 1,000 decryption keys intended for LockBit’s victims, and efforts will be made to contact these victims to assist them in recovering their encrypted data.

In a recent blog post, former National Cyber Security Centre chief Ciaran Martin highlighted how the involvement of Russian hackers in cybercrime undermines many conventional law enforcement tactics. He cautioned, “While we can impose costs and disrupt cybercriminals, as long as Russia remains a safe haven, this will not be a comprehensive solution.”