Getty Images

Operation Cronos dismantles LockBit ransomware gang

An international law enforcement operation led by the U.K.'s National Crime Agency seizes LockBit's websites, servers, source code and decryption keys.

Law enforcement agencies Tuesday announced the disruption and dismantling of LockBit, which Europol called the "world's biggest ransomware operation."

A coalition of international law enforcement agencies, led by the U.K.'s National Crime Agency (NCA), took down LockBit's infrastructure as part of "Operation Cronos," a monthslong effort to halt the ransomware-as-a-service gang's activity and bring its members to justice. Security researchers first spotted the seized domains Monday.

"Today, after infiltrating the group's network, the NCA has taken control of LockBit's services, compromising their entire criminal enterprise," the agency said in its announcement.

In addition to the disruption campaign, coordinated actions with Europol included the arrests of two suspected LockBit members in Poland and Ukraine Tuesday morning, as well as the seizure of more than 200 cryptocurrency accounts linked to the gang.

Operation Cronos involved law enforcement agencies from the U.S., France, Germany, the Netherlands, Sweden, Australia, Canada, Japan and Switzerland. The disruption campaign seized 28 servers in three countries, according to the NCA, and brought down LockBit's public leak site, the group's administration portal and other sites as well.

In addition to taking down the ransomware gang's infrastructure, the NCA said it obtained LockBit's source code, more than 1,000 decryption keys and "a vast amount of intelligence" on the gang from its compromised systems.

The infiltration of LockBit's network also provided evidence of what many cybersecurity experts and threat analysts have long believed -- that ransomware gangs retain victims' stolen data even after they pay ransoms. "Some of the data on LockBit's systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised," the NCA said.

Europol also announced that law enforcement agencies have identified more than 14,000 "rogue accounts" that LockBit actors used for infrastructure and data exfiltration, which have been referred for removal. The NCA also obtained the ransomware gang's custom data exfiltration tool, known as StealBit.

Screenshot of the takedown notice law enforcement agencies posted after seizing LockBit's websites.
Operation Cronos, led by the U.K.'s National Crime Agency, seized the websites, servers and decryption keys of the notorious LockBit ransomware gang.

"As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity," NCA Director General Graeme Biggar said in the announcement. "Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them."

U.S. Attorney General Merrick Garland said LockBit was one of the most prolific ransomware gangs in the world, responsible for more than 2,000 victims and $120 million in extortion payments. Garland urged all victims of LockBit and ransomware attacks in general to contact the FBI.

"Actions like today's would not be possible without victims reporting their ransomware attacks to law enforcement," he said in a video statement. "LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last."

Arrests and indictments

Authorities have not identified the two LockBit suspects arrested in Poland and Ukraine; it's unclear if they are affiliate hackers or LockBit operators.

As part of Operation Cronos, the Justice Department announced the indictments of two Russian nationals who allegedly deployed LockBit ransomware. In an unsealed indictment in the District of New Jersey, Artur Sungatov and Ivan Kondratyev, also known as "Bassterlord," were charged with multiple counts of conspiracy to commit fraud under the Computer Fraud and Abuse Act.

U.S. authorities had previously charged three other alleged LockBit actors. In May, Russian national Mikhail Pavlovich Matveev was indicted on charges of conspiracy to deploy LockBit as well as two other ransomware variants, Hive and Babuk. Matveev is still at large, and the U.S. State Department is currently offering up to $10 million for information that leads to his arrest and/or conviction.

Mikhail Vasiliev, a dual Russian-Canadian national, was arrested in 2022 and indicted on similar charges in connection with the LockBit gang. He is currently in custody and awaiting extradition to the U.S.

Russian national Ruslan Magomedovich Astamirov was arrested in June in Arizona and charged with conspiring to commit fraud in connection with at least five different LockBit attacks against organizations in the U.S. and other countries. He is currently in custody and awaiting trial.

Operation Cronos marks the third disruption of a major ransomware gang by international law enforcement efforts in just over 12 months. In January 2023, the FBI revealed that it had brought down the Hive ransomware gang's network by hacking into its infrastructure. Authorities obtained more than 1,000 decryption keys, assisting victims and preventing the payment of approximately $130 million in ransoms.

In December, the FBI announced the disruption of the Alphv/BlackCat ransomware gang through the help of a confidential informant. Law enforcement agencies seized several websites and developed a decryption tool to assist victims with restoring their data.

Rob Wright is a longtime technology reporter who lives in the Boston area.

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing