“LockBit are locked out” – Global forces disrupt ransomware variant

Global taskforce disrupts infamous ransomware gang and makes charges against two Russian nationals.

LockBit, one of the world’s most active ransomware groups, has been disrupted, had multiple public-facing websites seized, and 34 servers taken over in a global operation. Stealbit – a bespoke data exfiltration tool used to steal victim data – was also seized in the operation, disrupting the cyber group’s ability to attack and encrypt networks.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group,” said National Crime Agency Director General Graeme Biggar. “As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

More than 200 cryptocurrency accounts linked to the criminal gang were also frozen, and over 14,000 rogue accounts responsible for exfiltration or infrastructure identified and referred for removal by law enforcement.

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, US and UK law enforcement are taking away the keys to their criminal operation,” added Attorney General Merrick B Garland. “And we are going a step further – we have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”

“Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership – from its developers and administrators to its affiliates.”

Philip R Sellinger, US Attorney for the District of New Jersey

The operation, conducted under the name Operation Cronos, was a joint mission of 10 countries led by the UK National Crime Agency’s (NCA) Cyber Division, and included the Justice Department (DOJ), the Federal Bureau of Investigation (FBI), and other international law enforcement partners.

Restore encrypted systems

The taskforce has also developed decryption capabilities that could help victims to restore hacked and encrypted systems, and encourage victims to contact the FBI to determine whether affected systems can be decrypted. 

“Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group,” said Deputy Attorney General Lisa Monaco. “We are turning the tables on LockBit – providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe.”

Russian nationals Artur Sungatov and Ivan Kondratyev (known as Bassterlord), who were arrested in Poland and Ukraine, have also been charged by the DOJ for deploying LockBit against numerous victims in the US, businesses nationwide, and victims around the world in the semiconductor and other industries.

“Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world,” said FBI Director Christopher A Wray.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

Graeme Biggar, Director General, National Crime Agency

Allegedly, from at least January 2021, Sungatov deployed the LockBit ransomware against corporations and took steps to fund additional attacks against other victims. The attacked business sectors included manufacturing, logistics, insurance, and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.

Kondratyev, allegedly, began to deploy LockBit in August 2021 against municipal and private targets in Oregon, Puerto Rico, and New York, and to targets located in Singapore, Taiwan, and Lebanon.

Both are alleged to have to have developed and deployed LockBit ransomware, and to have extorted payments from corporate victims.

Additionally, the FBI Phoenix Field Office and Assistant US Attorney Helen L Gilbert are also investigating and prosecuting Kondratyev in the Northern District of California over alleged deployment of ransomware against a victim in California in 2020, and the Department of the Treasury’s Office of Foreign Assets Control has added Sungatov and Kondratyev to its Designated Nationals List.

Other LockBit charges

These are not the first charges against LockBit. Vasiliev – a dual Russian-Canadian national – was first charged in November 2022 in relation to his participation in the LockBit global ransomware campaign. He is currently in custody in Canada awaiting extradition to the US.

Mikhail Pavlovich Matveev, a former key actor in the Russian ransomware ecosystem, was charged by the DOJ in May 2023 for using three different ransomware variants to attack numerous victims throughout the US – including law enforcement agencies in Washington, DC and New Jersey. Matveev, also known online as Wazawaka, m1x, Boriselcin, and Uhodiransomwar, has been a central figure in the development and deployment of ransomware variants Hive, LockBit, and Babuk, and more. A bounty of up to $10m for information that leads to his arrest and/or conviction has also been set up through the US Department of State’s Transnational Organized Crime Rewards Program.

And in June 2023, the Russian national Ruslan Magomedovich Astamirov was charged for his participation in the LockBit conspiracy, including his deployment of LockBit against victims in Florida, Japan, France, and Kenya. He is currently in custody in the US awaiting trial.

“Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of LockBit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes,” said Philip R Sellinger, US Attorney for the District of New Jersey. “Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership – from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”

LockBit ransomware group

  • The group first appeared at the end of 2019 – but under the name ‘ABCD’ ransomware. LockBit then appeared around January 2020, and has carried out attacks on more than 2,000 victims around the world. It has made demands of more than hundreds of millions of dollars and received more than $120m in ransom payments.
  • Europol describes the group as “the world’s most harmful ransomware” operation, and “infamous for experimenting with new methods for pressuring their victims into paying ransoms”. These include ‘Triple extortion’, where the victim’s data is encrypted and the group threatens to leak it; and Distributed Denial-of-Service (DDoS) attacks, where servers are flooded with attacks and users prevented from accessing connected online services and sites.

The countries in the international Operation Cronos taskforce included: 

  • United Kingdom: National Crime Agency (NCA), and the South West Regional Organised Crime Unit (South West ROCU);
  • United States: US Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI) Newark;
  • France: National Gendarmerie (Gendarmerie Nationale – Unité nationale cyber C3N);
  • Germany: State Bureau of Criminal Investigation Schleswig-Holstein (LKA Schleswig-Holstein), and the Federal Criminal Police Office (Bundeskriminalamt);
  • The Netherlands: National Police (Team Cybercrime Zeeland-West-Brabant, the Team Cybercrime Oost-Brabant, and the Team High Tech Crime) and the Public Prosecutor’s Office Zeeland-West-Brabant);
  • Sweden: Swedish Police Authority (Polismyndigheten);
  • Australia: Australian Federal Police (AFP);
  • Canada: Royal Canadian Mounted Police (RCMP);
  • Japan: National Police Agency (警察庁); and
  • Switzerland: Swiss Federal Office of Police (fedpol), the Public Prosecutor’s Office of the canton of Zurich, and the Zurich Cantonal Police.

With the support of:

  • Finland: National Police (Poliisi);
  • Poland: Central Cybercrime Bureau Cracow (Centralne Biuro Zwalczania Cyberprzestępczości – Zarząd w Krakowie); and
  • New Zealand: New Zealand Police (Nga Pirihimana O Aotearoa).
  • Ukraine: Prosecutor General`s office of Ukraine (Офіс Генерального прокурора України), Cybersecurity Department of the Security Service of Ukraine (Служба безпеки України), National Police of  Ukraine (Національна поліція України).