LockBit Website Shut Down in 'Operation Cronos'

The website of the notorious ransomware gang LockBit has been taken down in an international sting operation corroborated by the EU, US and UK.

The UK’s National Crime Agency (NCA), the FBI, and Europol, along with a coalition of police agencies from across the globe, took control of the website on Monday in a joint operation to disrupt the gang’s activities.

"This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’," read,” reads a post on the gang’s extortion website.

"We can confirm that Lockbit's services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation.”

The post also named other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems,” said Graeme Biggar, the NCA’s director general.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

The takedown of LockBit's website was the culmination of a months-long investigation involving law enforcement agencies from 11 countries. Investigators meticulously analyzed LockBit’s operations, identified vulnerabilities in their infrastructure, and ultimately exploited a PHP vulnerability to gain access to the gang’s servers. 

This allowed them to seize crucial data, including victim information, source code, and internal communications and ultimately made it much more difficult for LockBit to leak its victims’ data on the dark web.

Europol also said that two LockBit actors had been arrested in Poland and Ukraine and that a further two defendants thought to be LockBIT affiliates, had been arrested and charged in the US.

Two more individuals have been named, and are Russian nationals still at large. Authorities have also frozen more than 200 cryptocurrency accounts linked to the criminal organisation.

What is LockBit?

LockBit is a notorious ransomware gang known for using the Ransomware-as-a-Service (RaaS) model – where it develops and distributes ransomware software that other threat actors can use to target and extort victims.

Since 2021, LockBit has employed a "double extortion" tactic, where they not only encrypt data but also exfiltrate it before threatening to leak it publicly if the ransom isn't paid. 

This causes significant financial and operational disruptions for organizations, making it more likely for them to pay the ransom to dampen the impact of the attack. 

LockBit is responsible for numerous large-scale ransomware attacks against businesses, and organizations, with victims including the UK Ministry of Defence, Royal Mail and the NHS, and it has racked up victims in recent months with companies and organisations from around the world falling victim to its onslaught. 

The group has far outpaced other ransomware gangs since it emerged in late 2019, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. For comparison, Conti – the second most active gang – has only been linked to 883 attacks.

Although the group previously claimed to have rules prohibiting attacks on hospitals, it hit Canada’s largest children’s hospital during the 2022 Christmas season, as well as multiple healthcare facilities in the U.S. and abroad. 

Last month, the group also said it was behind a November attack on a hospital system that forced multiple facilities in Pennsylvania and New Jersey to cancel appointments.

“A taste of their own medicine”

While the success of Operation Cronos is not yet known, the cybersecurity community has responded positively to the news of LockBit’s website takedown, with many calling the move a key step in blocking the gang’s activities.

“Operation Cronos gave LockBit operators a taste of their own medicine,” said Huseyin Can Yuceel, a security researcher at Picus Security.

 “According to LockBit admins, the law enforcement agencies exploited PHP CVE-2023-3824 vulnerability to compromise LockBit's public-facing servers and gain access to LockBit source code, internal chat, victims' details, and stolen data.”

Andy Kays, CEO of Socura, commented: “LockBit has long been a scourge to businesses, government agencies and security professionals the world over. It is arguably the most active ransomware group ever, whose attacks are both devastating and indiscriminate,”

“LockBit’s takedown required the dedicated action of multiple countries and government agencies, which highlights the scale, importance, and complexity of the task.

“I expect that these agencies would have only acted when they knew with some certainty that they could hit them hard.

Tim West, Director, of Threat Intelligence & Outreach at WithSecure, told EM360Tech that LockBit was likely the top target for security agencies given the devastation the gang has caused in recent years. 

“Of all the ransomware brands to disrupt, Lockbit is almost certainly the preferred choice. Responsible for approximately a fifth of all Ransomware breach site posts in 2023, and 25% so far in 2024 Lockbit is by far considered the most prolific, resourced, professional and capable,” said Tim West, Director, of Threat Intelligence & Outreach at WithSecure. 

“Commentary from European Law Enforcement describes a comprehensive seizure of all infrastructure required to run the ransomware operation. 

“A staggered release of data on Lockbit's leak site is not only extremely embarrassing for Lockbit but also may suggest they do not know the extent of the action taken.”

A likely resurgence

Despite the disruption caused by Operation Cronos’ experts believe that LockBit is still likely to re-group quickly unless arrests are made. This is especially true if the gang has backup servers with the data they’ve stolen from some of their victims. 

“At this stage, it’s always extremely difficult to know if a campaign like this will put a group out of action for good,” added Kays. This always depends on where the individuals are based, and if they are known to the authorities. We’ve seen time and time again, that the same individuals can re-emerge and re-group.”

“We will know more at 11.30 according to the takedown site, which is an apt role reversal. Now it is LockBit whose future hangs in the balance as an online countdown clock ticks down to zero.”

🚨 Europol & law enforcement from 10 countries disrupt world’s biggest ransomware operation.

💻 LockBit, seen as the world’s most prolific and harmful ransomware, caused billions of euros worth of damage.

More information ⤵️https://t.co/EpHLmhg2C2 pic.twitter.com/Wywzjvm0CP

— Europol (@Europol) February 20, 2024

Can Yceel agree, warning that LockBit has a history of being incredibly diligent despite previous efforts to take the group down.

"According to LockBit admins, the law enforcement agencies exploited PHP CVE-2023-3824 vulnerability to compromise LockBit's public-facing servers and gain access to LockBit source code, internal chat, victims' details, and stolen data.

“Although the LockBit group claims to have untouched backup servers, it is unclear whether they will be back online. Currently, LockBit associates are not able to login to LockBit services. 

“In a Tox message, adversaries told their associates that they would publish a new leak site after the rebuild. Takedowns are short-lived if no one is arrested,” Can Yceel added.