A team of law enforcement officials from the U.K.’s National Crime Agency has conducted an extensive operation that has rooted out LockBit, the notorious Russia-linked ransomware gang responsible for causing chaos in numerous businesses, hospitals, and governments worldwide over the course of several years.
This operation has resulted in the takedown of LockBit’s leak site, seizure of their servers, multiple arrests, and implementation of U.S. government sanctions – making it one of the most impactful actions taken against a ransomware group thus far.
But what makes this takedown stand out even more is its unique approach. The U.K. authorities announced the seizure of LockBit’s infrastructure on the gang’s own leak site, which now serves as a platform for revealing crucial information about the inner workings of the group, with the promise of more to come.
Key findings from the LockBit takedown
- LockBit didn’t delete victims’ data, even after receiving payment
- Even ransomware gangs neglect to patch vulnerabilities
- Ransomware takedowns are a lengthy process
- LockBit has targeted more than 2,000 organizations
- Sanctions against a key LockBit member may have an impact on other ransomware attacks
- The British aren’t lacking in humor
It has long been speculated that paying the ransom demanded by hackers is a risky move, as it does not guarantee the deletion of stolen data. Some victims have even stated that they “can’t guarantee” the removal of their data. The NCA’s statement has validated this concern, as they discovered that some of the data on LockBit’s seized systems belonged to victims who had already paid the ransom. The NCA underlined this point, stating that “even when a ransom is paid, it does not guarantee that data will be deleted, despite the promises made by the criminals.”
Surprisingly, even ransomware gangs are known to be slow when it comes to patching software bugs. According to the malware research group vx-underground, LockBitSupp, the alleged leader of LockBit’s operation, disclosed to them that law enforcement had been able to breach their servers using a known vulnerability in the popular web coding language PHP. This vulnerability, identified as CVE-2023-3824, was patched in August 2023, giving LockBit ample time to address the issue.
In a translated message from LockBitSupp to vx-underground, originally written in Russian, it was revealed that the “FBI f****d up servers via PHP, backup servers without PHP can’t be touched.”
The LockBit takedown, referred to as “Operation Cronos,” was a long time in the making, as confirmed by European law enforcement agency Europol. They stated that their investigation into this infamous ransomware gang began in April 2022, about two years ago, at the request of French authorities. In addition, Europol revealed that their European Cybercrime Center (EC3) organized more than twenty-four operational meetings and four technical one-week sprints to develop the leads necessary for the final phase of the investigation – this week’s successful takedown operation.
The notoriety of LockBit, which first emerged in the competitive cybercrime scene in 2019, is no secret. The operation conducted on Tuesday has essentially confirmed this, and the U.S. Justice Department now has figures to back it up. According to the DOJ, LockBit has attacked over 2,000 victims domestically and abroad, raking in a total of $120 million in ransom payments.
One of the prominent LockBit members indicted and sanctioned on Tuesday is a Russian national by the name of Ivan Gennadievich Kondratiev. U.S. officials have accused him of being involved in other ransomware gangs as well.
According to the U.S. Treasury, Kondratiev also has ties to REvil, RansomEXX, and Avaddon. While RansomEXX and Avaddon are lesser-known versions of LockBit, REvil is a Russia-based ransomware operation that gained widespread attention for their high-profile hacks, generating millions in ransom payments by targeting U.S. network monitoring giant Kaseya.
The NCA also disclosed that Kondratiev is a leader of a newly exposed LockBit sub-group known as the “National Hazard Society.” There is currently limited information available about this branch of the ransomware operation, but the NCA has promised to reveal more details in the following days.
With these sanctions in place, U.S. victims of Kondratiev’s ransomware will be prohibited from paying the demanded ransoms. Since Kondratiev has ties to at least five different ransomware gangs, these sanctions will undoubtedly make his life more difficult.
While some may argue that this fact was already known, the LockBit takedown has revealed that U.K. authorities have a sense of humor.
The NCA has taken a comedic approach in mocking LockBit by mimicking the gang’s dark web leak site to reveal their own LockBit-related findings. Furthermore, various Easter eggs were discovered on LockBit’s now-seized website. The most amusing being the file names for the site’s images, which include “oh dear.png,” “doesnt_look_good.png,” and “this_is_really_bad.png.”