In a major cybercrime takedown, an international coalition of law enforcement agencies has disrupted the infrastructure and key personnel behind the notorious LockBit ransomware operation. Europol described it as the “world’s biggest ransomware operation,” while the FBI called LockBit the “most prolific ransomware strain in the world.” The coordinated operation was led by the UK’s National Crime Agency (NCA) and the FBI, with support from Europol, Interpol, and numerous national cybercrime authorities. Key achievements include:
- Seizure of LockBit’s command infrastructure: The NCA took control of LockBit’s command-and-control servers and leak site. This grants law enforcement visibility into LockBit’s operations and victims.
- Arrests of alleged LockBit members: Europol announced the arrest of two alleged LockBit actors in Poland and Ukraine. Two more purported LockBit affiliates were arrested and charged in the US.
- Prevention of future LockBit attacks: By seizing LockBit’s infrastructure, authorities have severely degraded the syndicate’s ability to deploy ransomware and publish stolen data.
The disruption deals a major setback to what had become the most prolific ransomware threat in 2022. According to FBI estimates, LockBit was behind nearly 20% of all ransomware incidents in the US last year. The group had extorted over $120 million from victims across manufacturing, healthcare, education and other critical sectors.
Inside the LockBit Ransomware Operation
LockBit originated in September 2019 as the “ABCD” ransomware strain. The group rebranded itself as LockBit in 2020 and pioneered the Ransomware-as-a-Service (RaaS) model, allowing less technical “affiliates” to deploy LockBit malware in return for a share of ransoms. This decentralized, franchise-like structure allowed LockBit to rapidly expand. Affiliates gained initial access to targets using methods like phishing, brute-forcing RDP logins, or purchasing access from other hackers. They would then deploy LockBit to encrypt files, accompanied with ransom demands threatening to leak exfiltrated data. In addition to the ransom payments, the LockBit developer team took a major share of ransoms to fund improvements to the malware and infrastructure. LockBit’s ransomware quickly emerged as the dominant strain in 2022, used in about 30% of known ransomware incidents.
Outlook and Implications
The operation marks an important victory for global law enforcement against the scourge of ransomware. However, the ransomware ecosystem has proven resilient to takedowns of individual groups. LockBit itself filled a void left by the 2021 disruption of the REvil/Sodinokibi operation. As long as the RaaS model provides easy profits, new entrants and variants emerge to take the place of fallen ransomware brands. Nonetheless, the operation has struck a major psychological blow and degraded the infrastructure of the dominant player. For potential ransomware victims, the threat landscape remains unchanged. Organizations across all sectors should continue layering preventative security controls, while refining incident response playbooks and backup solutions. Law enforcement cooperation has delivered an important win, but the ransomware fight is far from over.