LockBit Ransomware Group on the Ropes After Law Enforcement Seizures

by | Feb 23, 2024

The LockBit ransomware group has had a tremendous run in recent years, but they may well be the next major cyber crime gang about to go out of business. An international law enforcement action called “Operation Chronos” has seized servers, dark web assets, crypto wallets and decryption keys, leaving the group limited in its capacity to do harm.

The law enforcement action included the National Crime Agency of the UK (NCA), the US Justice Department and the FBI. At minimum the gang seems to have lost its affiliate portal to the operation, as well as its dark web data leak site.

Law enforcement action leaves LockBit leader cursing

LockBit’s leader makes occasional public appearances via the encrypted Tox messaging service, and was recently seen complaining about the FBI using a PHP exploit to penetrate the gang’s servers. The adjective he used to describe the current state of the LockBit ransomware gang is not fit for polite company.

Relief may be coming for some of LockBit’s more recent victims. The law enforcement operation has apparently seized about 1,000 decryption keys for the gang’s most recent ransomware iteration, along with over 200 of the group’s crypto wallets. Two arrests of group members were also made (in Poland and Ukraine), but the upper leadership likely remains safe in Russia at present.

One twist to this is that law enforcement also reportedly seized extensive information on the LockBit ransomware group’s victims. That could reveal organizations that made a payment but did not report it to the proper authorities. It will be interesting to see if any actions emerge from EU regulators or the US OFAC as a result.

As to the present state of LockBit, it is definitely significantly harmed but not necessarily out of business. The key question is whether law enforcement caused enough damage to the group’s infrastructure and reputation to cause it to fold up and move on to some other brand name, something that would at least slow its chief operators down.

LockBit ransomware group down but not out yet

The law enforcement bulletin announced the seizure of a good deal of the LockBit ransomware group’s websites and servers, but the full extent of the blow to its operations is not yet known.

In addition to its data leak site and affiliate portal, the action took out servers hosting the platform the group uses to extract and transfer data from victims. At minimum, the cumulative damage will likely deal a strong blow to the group’s reputation with its affiliates. But as many prior actions have shown, ransomware gangs are not out of business until their leadership and key operators are in prison.

One interesting side note to the action is that law enforcement has apparently been working on bringing down the LockBit ransomware group for almost two years. The campaign apparently began in April of 2022 in Europe, with Eurojust and Europol getting involved early. Ransomware justice may take time and may not always be complete, but the biggest operators are clearly in the crosshairs of world governments.

Recent Posts

How can we help?

12 + 9 =

× How can I help you?