



The National Crime Agency today, Tuesday 20 February, reveals details of an international campaign of disruption targeting the world's most harmful cybercrime group, LockBit.

Today, the NCA has taken control of the LockBits service after infiltrating the group's network, compromising the entire criminal enterprise.

LockBit has been in operation for four years, and during that time there have been a number of attacks utilizing ransomware. The LockBit ransomware attack targeted thousands of victims around the world, including in the UK, causing billions of pounds, dollars and euros in losses in both ransom payments and recovery costs. The group provided ransomware-as-a-service to a global network of hackers or affiliates, giving them the tools and infrastructure needed to carry out their attacks.

Once a victim's network was infected with LockBits malware, their data was stolen and their systems were encrypted. A ransom is demanded in cryptocurrency if victims want to decrypt their files and prevent their data from being published.

The NCA took control of LockBits' primary administrative environment, where affiliates could build and carry out attacks, as well as a public leak site on the dark web that had previously threatened to host and publish stolen data from victims. Instead, the site will now host a set of information exposing LockBits' features and operations, which the NCA will publish daily, seven days a week.

The agency also obtained massive amounts of information from the system about the LockBit platform source code and their activities, as well as those who collaborated with them and used their services to cause harm to organizations around the world.

Some of the data in LockBits' system belonged to victims who paid ransoms to threat actors. This proves that even if you pay the ransom, there is no guarantee that your data will be deleted, despite what criminals promise.

The NCA, working closely with the FBI and supported by international partners in nine other countries, has been covertly investigating LockBit as part of a dedicated task force called Operation Cronos.

LockBit had a custom data extraction tool called Stealbit, which its affiliates used to steal victim data. In the last 12 hours, this infrastructure based in three countries was seized by members of the Op Cronos task force, while 28 servers belonging to LockBit affiliates were also demolished.

The technical infiltration and disruption is only the beginning of a series of actions against LockBit and its affiliates. In a wide-ranging action coordinated by Europol, two LockBit actors were arrested this morning in Poland and Ukraine, and over 200 cryptocurrency accounts linked to the group were frozen.

The U.S. Department of Justice announced that two defendants have been criminally charged with using LockBit to carry out ransomware attacks and will be detained and tried in the United States.

The United States also unsealed an indictment against two Russian nationals accused of conspiring in the LockBit attack.

As a result of our work, the NCA and its international partners are in a position to support LockBit victims. The agency has secured over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to recover their encrypted data and provide support.

The FBI and Europol will also assist victims elsewhere.

Graeme Biggar, Director-General of the National Crime Agency, said: This NCA-led investigation has thrown one of the world's most damaging cybercrime groups into landmark disruption. This shows that criminal activity, no matter where it is located or how advanced it is, is beyond the reach of institutions and their partners.

Through close cooperation, we hacked the hacker. They took control of the infrastructure, seized source code, and obtained keys to help victims decrypt the systems.

Starting today, LockBit is locked. We have damaged the capacity and especially the credibility of groups that rely on secrecy and anonymity.

Our work doesn't end here. LockBit may be trying to rebuild its criminal enterprise. But we know who they are and how they operate. We will remain relentless in our efforts to target this group and everyone associated with them.

Home Secretary James Cleverly said: “The National Crime Agency’s world-leading expertise has delivered a crushing blow to those behind the world’s most prevalent ransomware variant.

The criminals who run LockBit are sophisticated and highly organized, but they have not been able to escape the hands of British law enforcement and their international partners.

The UK has seriously disrupted their nefarious ambitions and we will continue to pursue criminal groups who target our businesses and institutions.

U.S. Attorney General Merrick B. Garland said: For years, LockBit associates have continued to deploy these types of attacks across the United States and around the world. Today, American and British law enforcement agencies are taking away the keys to criminal activity.

And we went one step further and obtained keys from the seized LockBit infrastructure to enable victims to decrypt captured systems and regain access to their data. LockBit is not the first ransomware variant to be dismantled by the U.S. Department of Justice and its international partners. It won't be the last.

FBI Director Christopher A. Wray said: “Today, the FBI and our partners successfully disrupted the LockBit criminal ecosystem, one of the most prevalent ransomware variants in the world.

“Through years of innovative investigative work, the FBI and our partners have significantly reduced the ability of hackers to launch significant ransomware attacks against critical infrastructure and other public and private organizations around the world. This operation further strengthens our capabilities and defenses. We demonstrate our commitment to protecting our nation's cybersecurity and national security from malicious actors seeking to influence our way of life. We will work at home and abroad to identify, disrupt, and deter cyber threats and hold perpetrators accountable. “We will continue to work with our allies.”

The NCA leads the UK law enforcement response to tackle cybercrime, disrupting offenders where possible by enabling criminal justice outcomes and working with partners such as the NCSC to ensure a wide range of online disruptions, sanctions and travel bans, and technology. Other means lead the way. Designed to be safe and secure.

The NCA National Cyber ​​Crime Unit also works with a network of regional cyber crime units based in nine Regional Organized Crime Units (ROCUs) in England and Wales. The operation was developed through the work of the South West ROCU and continues to be supported by staff there.

Public engagement is key to this response, so it's important to report if your organization has been a victim of a ransomware attack. The earlier people report, the sooner NCA and its partners can evaluate new methodologies and limit the harm they may cause to others.

If you live in the UK, you should use the government's Cyber ​​Incident Signage site as soon as possible for guidance on where to report the incident.

February 20, 2024

