Operation Cronos locks LockBit

On Tuesday, at least, LockBit looked locked out.

In collaboration with the FBI and Justice Department, the UK National Crime Agency (NCA) this week announced a takeover of major pieces of the ransomware group’s infrastructure, including its primary administration and public-facing leak site.

“The Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world,” the NCA said Tuesday.

The multi-country effort—a task force called Operation Cronos—demonstrates a significant, if short-term, impact to a prolific malware group, according to industry pros who spoke with IT Brew.

“The non-technical side of things is the most impressive: seeing the international cooperation across the world with law enforcement,” Ryan Westman, director of threat intelligence at cybersecurity company eSentire, told IT Brew.

According to the DOJ, the ransomware-as-a-service operation has taken more than $120 million in ransoms from more than 2,000 victims. LockBit led ransomware variants in 2022, CISA said in June, “and continue[d] to be prolific in 2023.”

“Today, US and UK law enforcement are taking away the keys to their criminal operation,” US attorney general Merrick Garland announced on Tuesday, adding that the agencies “obtained keys from the seized LockBit infrastructure” to assist victims in data recovery.

The captured decryption keys: “That’s what helps the most,” according to Yossi Rachman, director of security research at Active Directory protection company Semperis, given LockBit’s reputation as a for-profit org.

A site “defaced” by the agencies, Rachman said, with messages like “This site is now under the control of the UK, the US, and the Cronos task force,” matches the disruptive style of malicious-hacking groups used to doing the disrupting.

“That’s the language that they speak. The message hits hard,” Rachman told IT Brew.

Tuesday’s DOJ disclosure included notice of an unsealed indictment obtained in the District of New Jersey charging two Russian nationals “with deploying LockBit against numerous [US] victims.”

The LockBit site takedown and indictments will cost the group, Westman said.

“It definitely will act, at least to a degree, as a deterrent for individuals who are operating in countries where we can take action against them. But in countries where you can’t, that’s more of a systemic challenge that we’re going to still have to figure out how to address.”

“LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last,” Garland said to conclude this week’s announcement.