LockBit Ransomware Operation Disabled; Criminals arrested; Decryption keys released

LockBit Ransomware Operation Shut Down

Britain’s National Crime Agency (NCA) confirmed on Tuesday that it has obtained LockBit’s source code as well as information related to its activities and their subsidiaries as part of a special task force called Operation Kronos.

“Some data on LockBit’s systems belonged to victims who paid ransoms to the threat actors, suggesting that even if a ransom is paid, it does not guarantee that the data will be deleted, despite what the criminals have promised,” said the agency. said.

It also announced the arrest of two LockBit actors in Poland and Ukraine. More than 200 cryptocurrency accounts linked to the group have been frozen. Charges have also been opened in the US against two other Russian nationals alleged to have carried out LockBit attacks.

Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) have been accused of deploying LockBit against numerous victims in the US, including companies across the country in manufacturing and other industries, as well as victims around the world in the semiconductor industry. and other industries, according to the US. Department of Justice (DoJ).


Kondratyev has also been charged with three felonies stemming from his use of the Sodinokibi, also known as REvil, a ransomware variant to encrypt data, exfiltrate victim information, and extort ransoms from a corporate victim based in Alameda County, California.

The development comes in the wake of an international disruption campaign targeting LockBit, which the NCA described as ‘the most damaging cybercrime group in the world’.

As part of the takedown efforts, the agency said it took control of LockBit’s services and infiltrated its entire criminal enterprise. This includes the management environment used by affiliates and the public leak site hosted on the dark web.

In addition, 34 servers of LockBit branches have also been dismantled and more than 1,000 decryption keys have been retrieved from the seized LockBit servers.

LockBit Ransomware operation closed

Since its debut in late 2019, LockBit has been running a ransomware-as-a-service (RaaS) program that licenses its encryptors to affiliated companies, which carry out the attacks in exchange for a cut of ransom proceeds.

The attacks follow a tactic called double extortion, in which sensitive data is stolen before it is encrypted, with the threat actors pressuring the victims to make a payment to decrypt their files and prevent their data from being published.

LockBit Ransomware operation closed

“The ransomware group is also notorious for experimenting with new methods to pressure their victims into paying ransoms,” Europol says said.

“Triple extortion is one such method that includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also distributed denial-of-service (DDoS) attacks as an additional layer of pressure.”


The data theft is facilitated through a custom data exfiltration tool codenamed StealBit. The infrastructure, which was used to organize and transfer victim data, has since been seized by authorities from three countries, including the US.

According to Eurojust and the DoJ, LockBit attacks have reportedly affected more than 2,500 victims around the world and generated more than $120 million in illicit profits. A decryption tool has also been made available via No more ransoms to restore files encrypted by the ransomware for free.

“Through our close collaboration, we hacked the hackers, took control of their infrastructure, seized their source code and obtained keys that allowed victims to decrypt their systems,” said NCA Director General Graeme Biggar.

“As of today, LockBit are locked out. We have damaged the capacity and, above all, the credibility of a group that depended on secrecy and anonymity. LockBit may be trying to rebuild their criminal enterprise. However, we know who they are and how they operate.”

#LockBit #Ransomware #Operation #Disabled #Criminals #arrested #Decryption #keys #released

Notify of
Inline Feedbacks
View all comments
Previous Post
Redis Servers for Cryptocurrency Mining

New Migo malware targets Redis servers for cryptocurrency mining

Next Post
ConnectWise ScreenConnect Software

Critical flaws found in ConnectWise ScreenConnect software

Related Posts