A major international law enforcement operation has disrupted the infrastructure and services of the notorious LockBit ransomware gang, authorities announced Tuesday.
The coordinated action, dubbed Operation Cronos, involved police agencies from 11 countries including the UK’s National Crime Agency, the FBI, Europol, and others from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.
On Monday, visitors to the dark web site LockBit uses to publish stolen victim data and extort ransom payments were greeted with a message saying the site was now under the control of the NCA and law enforcement partners.
An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was “ongoing and developing”.
While some LockBit sites remained active, others including their main ransom negotiation portals displayed law enforcement seizure notices or error messages, suggesting significant disruption to the criminal operation.
LockBit is considered the world’s most prolific and damaging ransomware group. The Russia-linked syndicate operates on a ransomware-as-a-service model, recruiting affiliate hackers to breach corporate networks with its malware and handle extortion negotiations.
Victims who refuse to pay ransoms of hundreds of thousands to millions of dollars risk having their sensitive data leaked publicly. The gang claims to have targeted over 1,700 organizations globally since 2020, extracting at least $91 million in payments from U.S. victims alone according to government estimates.
Recent high-profile victims have included Boeing, the U.K.’s Royal Mail postal service, the city government of Oakland, California, and the Internal Revenue Service of Italy.
Just last week, Bank of America began notifying customers that LockBit hacked and stole personal information from Infosys McCamish Systems, a BofA contractor.
While seizing dark web infrastructure is no silver bullet – ransomware groups have rebounded from similar actions before – hitting LockBit’s leak site and negotiation portal delivers a major blow to their extortion business model in the short term.
Experts say this could disrupt dozens of ongoing ransom negotiations and prevent new sensitive leaks. It also provides opportunities for law enforcement to identify more of LockBit’s core members and the victims paying them.
The scale of international cooperation is also significant, reflecting global authorities’ increased prioritization of the ransomware threat. The agencies are committed to continuing the operation to maximize lasting impact.
Previous operations have seen the likes of REvil and DarkSide disappear for months after takedowns, though most major ransomware gangs eventually return in some form.
For now, LockBit appears contained pending further action. But the criminal ecosystem remains crowded with smaller upstart groups and remnants of others like Conti equally eager to fill any vacuum left in the market.
The ransomware scourge continues to extract billions annually from businesses, critical infrastructure like hospitals, and government bodies. While welcome, this single win underscores the immensity of the challenge of stopping professional cybercriminal groups who are often sheltered by adversary nations.
Vx-underground just reported that the Lockbit ransomware group has issued a message to individuals on Tox.
“The FBI fucked up servers using PHP, backup servers without PHP are not touched”
Also, when a Lockbit affiliate tries to log into the Lockbit panel this is what they see
Organizations for their part must redouble efforts to improve basic cyber hygiene and backups, implement multilayered security defenses, train employees on threats, and report attacks quickly to maximize response.
Staying vigilant against evolving social engineering like phishing and patching known security gaps can stop over 80% of ransomware incidents before they start. Regular offline backups of sensitive data remain the best insurance against disruption.
If attacked, consulting experts immediately gives the best chance of regaining control and mitigating damage. Paying ransoms actually encourages more criminality, but can’t be ruled out for cases where human lives are at stake.
With malware profits topping $1 billion last year, the underground ecosystem fuels a digital crime economy reliant on ransomware to bankroll other hacking ventures. Only a collaborative global effort across public and private sectors can hope to disrupt this full value chain and deterrence model.
Operation Cronos shows governments are moving in the right direction. However defeating the resilient ransomware industry will require immense, sustained commitment to match an opponent motivated by profit over ethics.