Update: The U.K. National Crime Agency (NCA) has confirmed the takedown of LockBit infrastructure. Read here for more details.
An international law enforcement operation has led to the seizure of multiple darknet domains operated by LockBit, one of the most prolific ransomware groups, marking the latest in a long list of digital takedowns.
While the full extent of the effort, codenamed Operation Cronos, is presently unknown, visiting the group's .onion website displays a seizure banner containing the message "The site is now under the control of law enforcement."
Authorities from 11 countries, Australia, Canada, Finland, France, Germany, Japan, the Netherlands, Sweden, Switzerland, the U.K., and the U.S., alongside Europol participated in the joint exercise.
Malware research group VX-Underground, in a message posted on X (formerly Twitter), said the websites were taken down by exploiting a critical security flaw impacting PHP (CVE-2023-3824, CVSS score: 9.8) that could result in remote code execution.
Law enforcement agencies also left on a note on the affiliate panel, stating they are in possession of the "source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," adding it was made possible due to LockBit's "flawed infrastructure."
LockBit, which emerged on September 3, 2019, has been one of the most active and notorious ransomware gangs in history, claiming more than 2,000 victims to date. It's estimated to have extorted at least $91 million from U.S. organizations alone.
According to data shared by cybersecurity firm ReliaQuest, LockBit listed 275 victims on its data leak portal in the fourth quarter of 2023, dwarfing all its competitors.
There is no word as yet of any arrest or sanctions, but the development is a definite blow to LockBit's near-term operations and arrives two months after the BlackCat ransomware operation was dismantled by the U.S. government.
The coordinated takedown also coincides with the arrest of a 31-year-old Ukrainian national for gaining unauthorized access to Google and online bank accounts of American and Canadian users by deploying malware and selling access to other threat actors on the dark web for financial gain.
LockBit Saga — Timeline of Events
- February 20, 2024
LockBit Busted - Authorities Seize Darknet Domains
An international law enforcement operation, including 11 countries and Europol, successfully seized darknet domains linked to the ransomware group LockBit, which has extorted over $91 million since 2019. The operation, named Cronos, used a PHP security flaw to disrupt LockBit's websites, marking a significant blow to the group's activities.
- February 21, 2024
LockBit Hackers Arrested - Decryption Tool Released
UK's NCA shuts down LockBit ransomware, arrests 2 in Poland/Ukraine, freezes 200+ crypto accounts, indicts 2 Russians in US. Seized LockBit's code, intelligence, dismantled 34 servers, retrieved 1k decryption keys. LockBit affected 2.5k victims globally, netted $120M. Decryption tool available for victims.
- February 22, 2024
$15 Million Bounty on LockBit Ransomware Leaders
US State Dept offers $15M reward for info on LockBit ransomware leaders, involved in 2k+ global attacks since 2020, causing $144M in damages. Law enforcement disrupted LockBit, arresting affiliates and seizing assets. LockBit, known for ransomware-as-a-service, extensive affiliate network, and innovative tactics like a bug bounty program, remains a significant cyber threat despite setbacks.
- February 25, 2024
LockBit Ransomware Kingpin 'Engages' with Police
The individual(s) behind the LockBit ransomware service, known as LockBitSupp, has reportedly engaged with law enforcement following a significant international crackdown on the ransomware-as-a-service operation named Operation Cronos.
- February 26, 2024
LockBit is Back - Calls for Attacks on US Government
The LockBit ransomware group has re-emerged on the dark web with a new infrastructure shortly after law enforcement seized its servers. The group has listed 12 new victims on its data leak portal and discussed the seizure of its websites, attributing it to a potential exploitation of a PHP vulnerability.
