UK crime agency hails destruction of world’s ‘most harmful’ cybercrime group

The UK’s National Crime Agency (NCA) has revealed details of an international campaign targeting LockBit, described as the world’s most harmful cybercrime group, that it carried out with the FBI and Europol.

“After infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their entire criminal enterprise. LockBit have been in operation for four years and during that time, attacks utilising their ransomware were prolific,” said the NCA, after news of its intervention came to light earlier this week.

“LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure required to carry out attacks,” it added.

When a victim’s network was infected by LockBit’s malicious software, their data was stolen and their systems encrypted. A ransom would be demanded in cryptocurrency to decrypt files and prevent data from being published.

The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web. This site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout this week.

The agency has also obtained LockBit platform’s source code and a “vast amount” of intelligence from their systems about their activities, as well as information about people that have worked with them and used their services to harm organisations throughout the world.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” said the agency.

“The NCA, working closely with the FBI, and supported by international partners from nine other countries, have been covertly investigating LockBit as part of a dedicated taskforce called Operation Cronos,” it explained.

“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data… this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down,” said the NCA.

The agency said that its technical infiltration and disruption is only the beginning of a series of actions against LockBit and its affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested in Poland and Ukraine, while more than 200 cryptocurrency accounts linked to the group have been frozen.

The US Department of Justice has announced that two defendants responsible for using LockBit to carry out ransomware attacks have been criminally charged, are in custody and will face trial.

The US has also unsealed indictments against two further individuals, who are Russian nationals, for conspiring to commit LockBit attacks.

“As a result of our work, the NCA and international partners are in a position to assist LockBit victims. The agency has obtained over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data,” said the NCA.

FBI and Europol will be supporting victims elsewhere.

NCA director general Graeme Biggar said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners.

“Through our close collaboration, we have hacked the hackers, taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

UK Home Secretary James Cleverly said The National Crime Agency’s expertise has delivered a major blow to the people behind the “most prolific ransomware” strain in the world.

“The criminals running LockBit are sophisticated and highly organised, but they have not been able to escape the arm of UK law enforcement and our international partners. The UK has severely disrupted their sinister ambitions and we will continue going after criminal groups who target our businesses and institutions,” he said.

US Attorney General Merrick Garland said: “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation.”

“And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant the US Justice Department and its international partners have dismantled. It will not be the last,” he continued.

FBI director Christopher Wray added: “Today, the FBI and our partners have successfully disrupted the LockBit criminal ecosystem, which represents one of the most prolific ransomware variants across the globe.

“Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organisations around the world. This operation demonstrates both our capability and commitment to defend our nation’s cybersecurity and national security from any malicious actor who seeks to impact our way of life. We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable.”

Back to top button