International Operation Targets Notorious LockBit Ransomware Group

Published: 21 February 2024

LockBit Cronos Operation

Website of one of the world's most harmful ransomware, LockBit, is down. (Photo: National Crime Agency, License)

By Zdravko Ljubas

Law enforcement from 10 countries have dismantled the criminal operation of the world’s most prolific and harmful Russia-based ransomware group LockBit at every level, Europol stated on Tuesday.

According to the U.K.’s National Crime Agency (NCA), LockBit ransomware attacks targeted thousands of victims worldwide, resulting in losses amounting to billions of pounds, dollars, and euros in both ransom payments and recovery costs.

LockBit operated on a “ransomware-as-a-service” model, providing a platform for a global network of hackers, known as affiliates, to launch attacks. When a victim’s network was infected, LockBit malicious software would steal data and encrypt systems, demanding ransom payments in cryptocurrency to decrypt files and prevent data from being published.

The international crackdown was the result of a complex investigation led by the NCA, as part of Operation Cronos, an international task force coordinated by Europol and Eurojust.

Over several months, law enforcement agencies infiltrated LockBit’s primary platform and critical infrastructure, including 34 servers located in multiple countries such as the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, according to Europol.

In addition to server takedowns, French judicial authorities facilitated the arrest of two individuals affiliated with LockBit in Poland and Ukraine, and issued three international arrest warrants and five indictments in collaboration with U.S. judicial entities.

Simultaneously, authorities froze more than 200 cryptocurrency accounts associated with LockBit, demonstrating their commitment to disrupting the financial incentives driving ransomware attacks, according to Europol.

The NCA said it seized control of LockBit’s central administration environment, used by affiliates to plan and execute attacks, and the group’s public-facing leak site on the dark web. Instead of hosting data stolen from victims, the site will now feature information exposing LockBit’s operations, posted daily by the NCA.

Furthermore, investigations revealed that some data on LockBit’s systems belonged to victims who had already paid ransom, highlighting the fact that paying ransom does not guarantee data deletion.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” said Graeme Biggar, NCA Director General.

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned two individuals as affiliates of LockBit, emphasizing the U.S.’s commitment to holding cybercriminals accountable.

“Ivan Gennadievich Kondratiev, a Russian national located in Novomokovsk, Russia, is a LockBit affiliate and leader of the LockBit affiliate sub-group, the National Hazard Society… while Artur Sungatov, a Russian national, is a Lockbit ransomware group affiliate and has actively engaged in LockBit ransomware attacks,” according to OFAC.

OFAC noted that Kondratiev, also known as “Bassterlord” and “Fisheye,” in the cybercriminal community, has ties to other ransomware groups, including REvil, RansomEXX, and Avaddon.

The decision to sanction the individuals aligns with other recent actions by the U.S. targeting Russian cybercriminals, including the recent trilateral designation of Alexander Ermakov, a Russian national implicated in the 2022 ransomware attack against Medibank Private Limited, in collaboration with Australia and the United Kingdom, according to OFAC. It also follows last year's bilateral sanctions against the Trickbot Cybercrime Group, in cooperation with the U.K.

OFAC warned that Russia continues to harbor cybercriminals, enabling groups like LockBit to operate freely and launch attacks against the U.S. and its allies.

“These ransomware attacks have targeted critical infrastructure, including hospitals, schools, and financial institutions. Notably, LockBit was responsible for the November 2023 ransomware attack against the Industrial and Commercial Bank of China’s (ICBC) U.S. broker-dealer,” which affected the settlement of over US$9 billion worth of assets backed by Treasury securities, read the statement.

“The U.S. will not tolerate attempts to extort and steal from our citizens and institutions,” said Deputy Secretary of the Treasury Wally Adeyemo.

“We will continue our whole-of-government approach to defend against malicious cyber activities, and will use all available tools to hold the actors that enable these threats accountable,” he said.

LockBit, initially known as 'ABCD' ransomware, emerged in late 2019 and rapidly gained notoriety, becoming the most widely deployed ransomware variant worldwide in 2022.

As a result of Operation Cronos, law enforcement now controls LockBit's infrastructure, and over 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal, according to Europol.