LockBit, a notorious cybercrime gang that holds its victims’ data to ransom, has been disrupted in a rare international law enforcement operation.
The news has been confirmed by the gang itself, and US and UK authorities. The operation was run by Britain’s National Crime Agency, the US Federal Bureau of Investigation, Europol and a coalition of international police agencies, according to a post on the gang’s extortion website.
The international task force involved has been dubbed Operation Cronos and officials in the United States, where LockBit has hit more than 1,700 organisations in nearly every industry from financial services and food to schools, transportation and government departments, have described the group as the world’s top ransomware threat.
Trend Micro assisted the NCA as part of its lead role in the disruption of Lockbit operations.
In collaboration with the NCA, Trend Micro analysed the in-development version of Lockbit (referred to as Lockbit-NG-Dev), effectively rendering the entire product line nonviable for criminals.
Trend Micro had protection in place for this upcoming malware product before the group even completed testing.
The company said: “This proactive collaboration with the NCA ensures our customers face a future without Lockbit, which accounted for 25% of all Ransomware leaks last year – a substantial impact.
“While the Ransomware market may evolve, our long-standing trust and collaboration with law enforcement position us ahead of public knowledge, allowing us to proactively protect our customers. The recent discrediting of the group by the NCA and partners makes it clear that no rational criminal would want to be associated with them again.”
Robert McArdle, Director of Trend Micro’s Forward Looking Threat Research team, said: “We will release a publication looking at a new as yet unreleased version of the Lockbit encryptor that the group were working on, as well as recapping the history of recent issues and difficulties this group has experienced.
“While Lockbit were without doubt the largest and most impactful Ransomware operation globally, we hope that this disruption makes it very clear that all criminal affiliates should strongly reconsider any involvement with them in the future, and that in partnering with this organisation these associates have put themselves at increased risk of law enforcement action.”
Cybersecurity experts have been responding to the news: Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said: “The takedown of LockBit’s darknet domains stands as a stark reminder of the relentless cat-and-mouse game between cybercriminals and law enforcement.
“Takedowns are not easy though, and it took the collaboration of Europol and many countries working together to infiltrate and dismantle the notorious group. The symbolic seizure banner displayed on LockBit’s .onion sites is a warning shot to other would-be criminals that they can’t stay safe forever.
“While the immediate aftermath of this operation marks a decisive blow to LockBit’s operations, the broader narrative it contributes to is one of persistence. In cybersecurity, as in all aspects of security, the goal is not to achieve an impenetrable barrier but to make the cost of attack so high that it becomes a deterrent. Yet, we must consider the resilience of these cybercriminal enterprises; history has shown us time and again their ability to adapt, evolve and resurface under new guises.
“In essence, while the takedown is a testament to what can be achieved through international cooperation and technical ingenuity, it also serves as a reminder to the industry. We must continue to bolster our defenses, educate our workforce, share intelligence and refine our tactics for the digital age, for the threat landscape is ever-evolving.”
Greg Day, SVP and Global Field CISO at Cybereason, said: “Far too often, there’s talk about the ease with which cybercriminals operate online. However, this recent news serves as a prime example of the results achieved through diligent effort and collaboration behind the scenes. This involves co-operation among law enforcement agencies spanning different jurisdictions, navigating the complexities arising from varied laws.
“It also entails partnerships with telecom providers to grasp the intricacies of infrastructure and attack methodologies, collaboration with the cybersecurity industry to comprehend the latest attack iterations, and engagement with financial services organisations to gain insights into money transaction flows. Modern ransomware attacks surpass many traditional bank heists in complexity and extend across international borders. Nonetheless, as we continue to enhance our collaborative efforts, the collective action of the masses prevails over the actions of the few.”
Rebecca Moody, Head of Data Research at Comparitech, added: “While this is positive news, it’s not time to pop the cork on the champagne bottle just yet. The takedown of LockBit’s website and arrests of certain members may disrupt operations and is certainly a step in the right direction. However, this ransomware gang has been in operation for nearly five years with many key members believed to be based in Russia, meaning there’s a way to go to dismantle the entire operation. LockBit also outsources work to affiliates.
“Since 2018, we have logged 349 confirmed ransomware attacks carried out by LockBit. 11.24 million records are confirmed to have been breached across just 79 of these attacks, creating an average data breach of more than 142,000 records. LockBit’s ransom demands have averaged US$11.06m across these confirmed attacks.
“So far this year, LockBit is confirmed to have attacked seven worldwide organizations, including its high-profile attacks on Fulton County, EquiLend, and Saint Anthony Hospital in the US, and the Caravan and Motorhome Club and Misbourne School in the UK.”
Ryan McConechy, CTO of Barrier Networks, said: “In the last six months, law enforcement officials have publicly announced their commitment to disrupt ransomware actors. This takedown, of what is widely perceived as the world’s most dangerous ransomware group, demonstrates their determination to win the fight.
“Just last week, the FBI announced a reward for information on the BlackCat ransomware gang, while in November the US government also signed a pledge with other nations stating it would never pay ransom demands.
“Each of these actions demonstrate the efforts law enforcement is placing on fighting ransomware, but the seizure of LockBit’s servers is undoubtedly one of the biggest accomplishments so far.
“Since its discovery, LockBit has evolved into one of today’s most dangerous adversaries. From attacks on banks to critical infrastructure to enterprises, the gang has ruthlessly crippled the networks of thousands of businesses. This takedown likely means LockBit can no longer use its seized infrastructure to launch attacks or sell on its services. But it unfortunately doesn’t guarantee the gang is gone forever.
“When it comes to defence against ransomware, organisations must act before it is too late. This involves training on threats, implementing MFA to secure employee credentials, keeping systems up to date with patches, and getting a well-oiled and comprehensive incident response plan in place, so everyone can step straight into effective action, even when attacks do occur.”
Camellia Chan, CEO and Co-Founder of Flexxon, said: “The historically formidable LockBit ransomware gang has been taken offline in a co-ordinated operation by the NCA, FBI and International Coalition. Although a positive step in the battle against cybercriminals, it is not the time to get complacent. We can’t expect the gang that hit ICBC (China’s largest bank) with a cyberattack so bad it disrupted the US treasury market to go down without a fight.
“LockBit could even re-invent itself in time, as we’ve seen with other ransomware gang rebrands. Plus, there’s no doubt there are other threat actors just around the corner. For businesses, this should be a wake-up call to bolster defences. To meet the fast-evolving threat landscape, organisations need to be proactive in recognising security gaps and must address those with innovative, proven solutions at both the software and the hardware layer.”
Arun Kumar, Regional Director, at ManageEngine, the enterprise IT division of Zoho Corp, said: “It’s encouraging to see international collaboration has shut down LockBit, the prolific ransomware group. International agencies must continue to align, to disrupt these borderless cybercriminals.
“But it’s too soon to claim victory. Taking down LockBit is just the first step – as we’ve seen with Qakbot malware, which is developing new variants despite being shut down by the FBI last year, these threat actors are quick to adapt. It’s imperative to remain proactive in defence against cyberattacks with extended attack surfaces and sophisticated attack techniques.
“And, the proliferation of cybercrime, shows that defeating LockBit is just winning a battle – not the war. The amount of fraud in UK more than doubled to £2.3bn in 2023, a new report finds, driven by the new wave of serious AI crimes which are more sophisticated than ever before. Along with good security hygiene, collaboration will be paramount in ensuring the impacts of cybercrime are minimised.”
Click below to share this article
