An international takedown operation has hit the infamous LockBit ransomware group on multiple levels, with law enforcement agencies targeting its technical infrastructure, making arrests and releasing a decryption tool for victims to recover encrypted files without paying a ransom.
The sweeping operation, announced Tuesday, was coordinated by Europol and Eurojust, and involved law enforcement from 10 countries, including France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the UK, the U.S. and Switzerland. It signifies a massive crackdown on both the operators and affiliates behind LockBit, which was labeled last year as the most active ransomware group and has targeted over 2,000 victims.
The breadth of the takedown itself is multifaceted and impacts everything from LockBit’s infrastructure backbone to members’ ability to access cryptocurrency accounts linked to the ransomware group. On the technical infrastructure side, the operation took down 34 servers in various countries, froze 200 cryptocurrency accounts and closed several thousand “rogue accounts” responsible for exfiltration. Two LockBit actors were also arrested in Poland and Ukraine at the request of the French judicial authorities, and three international arrest warrants and five indictments have also been issued by French and U.S. judicial authorities.
“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world,” said Attorney General Merrick B. Garland in a statement. “Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation. And we are going a step further — we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”
“This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities."
While the infrastructure takedown poses major hurdles for LockBit, the arrests, indictments and identifications of individuals linked the group is truly significant. Europol gave no further details on the two LockBit actors that were arrested, but the Justice Department on Tuesday indicted two Russian nationals who have both allegedly engaged in LockBit ransomware attacks: Ivan Gennadievich Kondratiev, a LockBit affiliate and leader of an affiliate sub-group called the National Hazard Society, and Artur Sungatov, a LockBit ransomware group affiliate.
“A common point of dissatisfaction for using law enforcement mechanisms to reduce this risk is that we’ll never get these guys,” said Megan Stifel, the chief strategy officer for the Institute for Security and Technology and executive director of the Ransomware Task Force. “Well, guess what? Several of them are now in custody. I think that’s indicative of where we’re seeing progress.”
The operation has also attempted to aim at the financial epicenter of LockBit, which over the years has received more than $120 million in ransom payments and has made ransom demands totaling hundreds of millions of dollars. In addition to authorities freezing the 200 cryptocurrency accounts linked to the organization, the U.S. Treasury Department on Tuesday also issued sanctions against Kondratiev and Sungatov. The sanctions ban all transactions between these individuals and people in the U.S.
The announcement also reveals two short-term wins for businesses hit by the LockBit ransomware. First, a decryption tool was developed by the FBI, UK’s National Crime Agency and Japanese police. This tool is now available on the No More Ransom portal, and LockBit victims can use it for free in order to recover their encrypted files. Second, LockBit’s data stolen from victims appears to now be in the hands of law enforcement - though there’s no guarantee that there aren’t other copies of this stolen data floating around, said Stifel. Still, “at the very least additional investigative work can help victims understand what was taken and help them to better assess their risk from further damage from the release of that data,” said Stifel.
Europol acknowledged that this “vast amount of data gathered throughout the investigation is now in the possession of law enforcement” and stressed that it could support future operations.
“This data will be used to support ongoing international operational activities focused on targeting the leaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal activities,” according to Europol.
“The more organizations are working together, the more isolated these individuals will become and the greater the net that can be leveraged to bring them into custody.”
While it’s often difficult to coordinate international takedown efforts like these - especially with the safe harbor challenges that shape the ransomware landscape - law enforcement agencies in the U.S. and elsewhere have touted increased international cooperation when it comes to identifying and disrupting cybercriminals.
This level of coordination has been key to several other big ransomware crackdowns, including disruptions against BlackCat in December and Ragnar Locker in October, as well as a series of arrests of high-ranking ransomware group members in November.
Europol painted a detailed picture of the coordination efforts needed in the takedown, starting with the case being opened at Eurojust in April 2022 at the request of the French authorities. Over the course of the operation, Europol’s European Cybercrime Centre organized 27 operational meetings and four technical one-week sprints, all the while trading analytical, forensic and crypto-tracing information and preparing for the final takedown phase of the investigation.
Stifel said that the number of countries participating in this operation is “reflective of the way this threat needs to be managed.”
“The more organizations are working together, the more isolated these individuals will become and the greater the net that can be leveraged to bring them into custody,” said Stifel.