Cyber crime

International policing operation disrupts LockBit ransomware gang

UK-led effort seizes critical infrastructure
Image: IDGNS

20 February 2024

Britain’s National Crime Agency, the Federal Bureau of Investigation, Europol and a coalition of international police agencies have taken part in an operation to disrupt LockBit ransomware gang.

“Today, law enforcement has taken control of technical infrastructure which underpins the LockBit operation, including its primary platform and leak site where data stolen from victims in ransomware attacks have previously been hosted,” said a statement from the NCA.

“The seizure of the criminal infrastructure aims to reduce the threat to the UK, while data obtained through the campaign will help law enforcement progress their investigations.”




Established in 2019 as a ransomware-as-a-service group, LockBit specialises in ‘double extortion’ where stolen data is published online if a ransom is not paid. In 2023, the group dominated the ransomware scene, impacting more than 1,000 extorted organisations, mainly in the US, UK, France, Germany, and Canada.

Recent high profile victims of the gang include the NHS, Boeing, and the Industrial & Commercial Bank of China, though the manufacturing sector seems to have been particularly profitable, attracting about a quarter of attacks.

Last May the US Department of Justice (DoJ) charged Mikhail Pavlovich Matveev, a 30-year-old Russian national and suspected Lockbit kingpin, for intentionally damaging protected computers, as well as conspiracy to damage protected computers and to transmit ransom demands.

Rebecca Moody, head of data research at Comparitech, said: “While this is positive news, it’s not time to pop the cork on the champagne bottle just yet. The takedown of LockBit’s website and arrests of certain members may disrupt operations and is certainly a step in the right direction. However, this ransomware gang has been in operation for nearly five years with many key members believed to be based in Russia, meaning there’s a way to go to dismantle the entire operation. LockBit also outsources work to affiliates.

“Since 2018, we have logged 349 confirmed ransomware attacks carried out by LockBit. 11.24 million records are confirmed to have been breached across just 79 of these attacks, creating an average data breach of more than 142,000 records. LockBit’s ransom demands have averaged $11.06 million across these confirmed attacks.”

In a screenshot shared by vx-underground, a group that disseminates information about malware and cybersecurity, the control panel used by LockBit to carry out attacks has been replaced by a message from law enforcement officials.

The Russian hacker group claims that the servers containing stolen data remained intact. The FBI could not get hold of them, and they will be published in a new blog after “reconstruction”.

Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich said: “This is bad timing for LockBit, having recently been removed from two Russian underground cybercrime forums for questionable business ethics.

“This latest action by UK and US authorities will be a major setback for their operations, and is likely to degrade their ability to recruit and retain affiliates. However, as we have seen in the past, ransomware gangs are notoriously resilient and may emerge under a different banner in the near future. The threat from this criminal gang and other ransomware groups will continue, and organisations must be constantly on their guard.”

News Wires

Read More:

Back to Top ↑