Law agencies shut down ransomware syndicate

U.S. Attorney Philip Sellinger, second left, and Graeme Biggar, director general of Britain's National Crime Agency, center, are among law enforcement officials appearing at a press conference to outline the details of a law enforcement operation against the ransomware syndicate LockBit in London, Tuesday, Feb. 20, 2024. Law-enforcement agencies said they infiltrated and disrupted LockBit, arresting two people involved with the prolific ransomware syndicate that has extracted $120 million from thousands of victims around the world. (AP Photo/Kelvin Chan)
U.S. Attorney Philip Sellinger, second left, and Graeme Biggar, director general of Britain's National Crime Agency, center, are among law enforcement officials appearing at a press conference to outline the details of a law enforcement operation against the ransomware syndicate LockBit in London, Tuesday, Feb. 20, 2024. Law-enforcement agencies said they infiltrated and disrupted LockBit, arresting two people involved with the prolific ransomware syndicate that has extracted $120 million from thousands of victims around the world. (AP Photo/Kelvin Chan)

LONDON -- Law enforcement agencies have infiltrated and disrupted the prolific ransomware syndicate LockBit that has extracted $120 million from thousands of victims around the world, with two people arrested, British, U.S. and European officials said Tuesday.

Britain's National Crime Agency, or NCA, said it led an international operation targeting LockBit, which provides ransomware as a service to so-called affiliates who infect victim networks with the computer-crippling malware and negotiate ransoms.

The operation resulted in the arrests of two people in Poland and Ukraine and the seizure of 200 cryptocurrency accounts, officials said at a joint news conference. The Justice Department, meanwhile, unsealed indictments against two more people, both Russian nationals.

Authorities said they gained "comprehensive access" to LockBit's systems, taking control of infrastructure and obtaining keys to help victims decrypt their data.

"We have hacked the hackers," said the NCA's director general, Graeme Biggar. "LockBit has been locked out."

Hours before the announcement, the front page of LockBit's dark-web leak site was replaced with the words "this site is now under control of law enforcement," alongside the flags of the U.K., the U.S. and several other nations.

The message said the NCA was "working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos." The ongoing operation also involves agencies from Germany, France, Japan, Australia, New Zealand and Canada, among others, including Europol, it said.

LockBit, operating since 2019, has been the most prolific ransomware syndicate two years running. The group accounted for 23% of the nearly 4,000 attacks globally last year in which ransomware gangs posted data stolen from victims to extort payment, according to the cybersecurity firm Palo Alto Networks.

LockBit has been linked to attacks on the U.K.'s Royal Mail, Britain's National Health Service, airplane manufacturer Boeing, international law firm Allen and Overy and China's biggest bank, ICBC.

Ransomware is the costliest and most disruptive form of cybercrime, crippling local governments, court systems, hospitals and schools as well as businesses. It is difficult to combat as most gangs are based in former Soviet states and out of reach of Western justice.

Tuesday's announcement brings to five the number of people the U.S. has indicted since the operation began. Three Russians were previously indicted, with two of those taken into custody, one in Canada and one in the U.S. The rest are still wanted.

Authorities said they seized servers that the gang used to organize and transfer victim data, and gained access to nearly 1,000 potential decryption tools. They obtained the Lockbit platform's source code and a trove of intelligence on people the gang worked with.

The operation is "probably the most significant ransomware disruption to date," said analyst Brett Callow of the cybersecurity firm Emsisoft. While it will likely spell the end of the brand, such groups routinely re-emerge under new names. Over the long term, Callow said, this operation alone will not diminish the volume of ransomware attacks.

Information for this article was contributed by Frank Bajak and Fatima Hussein of The Associated Press.

  photo  A TV screen shows the front page of LockBit's dark-web leak site that was replaced with the words "this site is now under control of law enforcement," alongside the flags of the U.K., the U.S. and several other nations during the law enforcement press conference to outline the details of a law enforcement operation against the ransomware syndicate LockBit in London, Tuesday, Feb. 20, 2024. Law-enforcement agencies said they infiltrated and disrupted LockBit, arresting two people involved with the prolific ransomware syndicate that has extracted $120 million from thousands of victims around the world. (AP Photo/Kelvin Chan)
 
 

Upcoming Events