FULTON COUNTY, Ga. – In a major international effort, the U.S. Department of Justice, along with the United Kingdom and international law enforcement partners in London, has successfully disrupted the LockBit ransomware group, a notorious cybercriminal organization, according to a press release. The group, responsible for attacking over 2,000 victims worldwide, reportedly received over $120 million in ransom payments and issued demands totaling hundreds of millions of dollars.
The U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement partners disrupted LockBit’s operations by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators, thereby disrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data.
This is the same group that is believed to be responsible for the ransomware attack on Fulton County.
Attorney General Merrick B. Garland emphasized the significance of this operation, stating, “For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation.”
In a proactive measure, the Justice Department also obtained decryption keys from the seized LockBit infrastructure to assist victims in recovering their systems and data. Deputy Attorney General Lisa Monaco highlighted the commitment to dismantling cybercrime ecosystems and prioritizing victim recovery.
Furthermore, the Department unsealed an indictment in New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, known as Bassterlord, for deploying LockBit against numerous victims in the U.S. and internationally. Additional criminal charges against Kondratyev were unsealed Tuesday in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.
Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption. As disclosed by those search warrants, those servers were used by LockBit administrators to host the so-called “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victim data.
FBI Director Christopher A. Wray commended the successful disruption, stating, “This operation demonstrates both our capability and commitment to defend our nation’s cybersecurity and national security from any malicious actor who seeks to impact our way of life.”
According to the indictment obtained in the District of New Jersey, from at least as early as January 2021, Sungatov allegedly deployed LockBit ransomware against victim corporations and took steps to fund additional LockBit attacks against other victims. Sungatov allegedly deployed LockBit ransomware against manufacturing, logistics, insurance, and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.
Additionally, as early as August 2021, Kondratyev similarly began to allegedly deploy LockBit against multiple victims. Kondratyev, operating under the online alias “Bassterlord,” allegedly deployed LockBit against municipal and private targets in Oregon, Puerto Rico, and New York, as well as additional targets located in Singapore, Taiwan, and Lebanon. Both Sungatov and Kondratyev are alleged to have joined in the global LockBit conspiracy, also alleged to have included Russian nationals Mikhail Pavlovich Matveev and Mikhail Vasiliev, as well as other LockBit members, to develop and deploy LockBit ransomware and to extort payments from victim corporations.
With the indictment unsealed today, a total of five LockBit members have now been charged for their participation in the LockBit conspiracy. In May 2023, two indictments were unsealed in Washington, D.C., and the District of New Jersey charging Matveev with using different ransomware variants, including LockBit, to attack numerous victims throughout the United States, including the Washington, D.C., Metropolitan Police Department. Matveev is currently the subject of a reward of up to $10 million through the U.S. Department of State’s Transnational Organized Crime Rewards Program, with information accepted through the FBI tip website at www.tips.fbi.gov/.
In November 2022, a criminal complaint was filed in the District of New Jersey charging Vasiliev in connection with his participation in the LockBit global ransomware campaign. Vasiliev, a dual Russian-Canadian national, is currently in custody in Canada awaiting extradition to the United States. In June 2023, Russian national Ruslan Magomedovich Astamirov was charged by criminal complaint in the District of New Jersey for his participation in the LockBit conspiracy, including his deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
Kondratyev, according to the indictment obtained in the Northern District of California and unsealed today, is also charged with three criminal counts arising from his use of the Sodinokibi, also known as REvil, ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
The press release says that the LockBit ransomware variant first appeared around January 2020 and, leading into today’s operation, had grown into one of the most active and destructive variants in the world.
LockBit members have executed attacks against more than 2,000 victims in the United States and around the world, making at least hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments.
The LockBit ransomware variant, like other major ransomware variants, operates in the “ransomware-as-a-service” (RaaS) model, in which administrators, also called developers, design the ransomware, recruit other members — called affiliates — to deploy it, and maintain an online software dashboard called a “control panel” to provide the affiliates with the tools necessary to deploy LockBit.
Affiliates, in turn, identify and unlawfully access vulnerable computer systems, sometimes through their own hacking or at other times by purchasing stolen access credentials from others. Using the control panel operated by the developers, affiliates then deploy LockBit within the victim computer system, allowing them to encrypt and steal data for which a ransom is demanded to decrypt or avoid publication on a public website maintained by the LockBit developers, often called a data leak site.
Additionally, the Department of the Treasury’s Office of Foreign Assets Control announced today that it is designating Sungatov and Kondratyev for their roles in launching cyberattacks.
Victims affected by LockBit are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ for further assistance. Detailed information on protecting networks against LockBit ransomware is available at StopRansomware.gov. The disruption operation involved collaboration with law enforcement agencies from around the world, demonstrating the global effort to combat cyber threats.