Britain and FBI lock notorious LockBit hackers out of their own website in major operation

One of the world’s most prolific cybercrime gangs has had its site taken over in a major global operation led by British and American law enforcement.

LockBit, which is believed to have been responsible for ransomware attacks on Royal Mail, Boeing and thousands of others, was targeted in an operation led by the UK’s National Crime Agency (NCA), the FBI and Europol.

The international law enforcement coalition of 10 countries “hacked the hackers” to take down the prolific ransomware site, whose attacks have cost “billions” in ransomware payments and recovery costs.

Speaking at a press conference in Westminster on Tuesday, NCA director general Graeme Biggar said that LockBit had been the most prolific ransomware group in the last four years and was behind a quarter of recent attacks.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems,” Mr Biggar said, adding: “As of today LockBit is effectively redundant. LockBit has been locked out.”

LockBit targets have included major companies, governments and public sector bodies – including hospitals and schools. He said the gang had caused “enormous harm and cost”.

The LockBit website was taken over by law enforcement (PA)

The prolific group “prided themselves on their brand and their anonymity”, even promising payments of $1,000 to people who got a tattoo of their logo. The group’s leader recently offered a $10m reward to anyone who could successfully identify them and demonstrate how they did it and what they do.

But Paul Foster, head of the NCA’s cybercrime unit, said the sting means law enforcement now knows “who they are and how they operate”.

Philip Sellinger, of the US Attorney’s Office for the District of New Jersey, where five individuals have been indicted, agreed that the operation “shatters” the anonymity of LockBit users and affiliates.

He said the US has brought charges against five Russian nationals linked to the group, two of whom are in custody: Mikhail Vasiliev, who is being held in Canada, and Ruslan Magomedovich Astamirov, who is in the US.

The remaining three – Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev – are at large.

Two further people have been arrested in Poland and Ukraine and more than 200 cryptocurrency accounts believed to be linked to the group have been frozen, Europol said.

NCA investigators found that the gang did not always delete data even when victims had paid their ransom demands. Meanwhile, the infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has been seized.

It said it has found more than 1,000 decryption keys held by the group and will be contacting UK-based victims to help them recover encrypted data.

National Crime Agency director general Graeme Biggar announced the joint action against LockBit (PA)

The LockBit site was overlaid with a message on Monday evening saying it was “now under the control of law enforcement”.

The message said the website was under the control of the NCA “working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos”.

The site had been used by LockBit to sell services, including ransomware, to hackers. These would allow them to breach people’s computer networks. The ransomware-as-a-service group is believed to have been behind a number of high-profile cyberattacks in recent years, including one on Royal Mail last year.

Ransomware is a form of malware that encrypts data and files inside a system and demands a ransom be paid in order to release them.

Home Secretary James Cleverly described the sting as a “major blow” to the cybercrime gang.

“The criminals running LockBit are sophisticated and highly organised but they have not been able to escape the arm of UK law enforcement and our international partners,” he said. “The UK has severely disrupted their sinister ambitions and we will continue going after criminal groups who target our businesses and institutions.”

US Attorney General Merrick B Garland said the crackdown had “taken away the keys to their criminal operation”.

The NCA targeted LockBit in a joint operation with ten countries, with help from the FBI and Europol (PA)

The National Cyber Security Centre has previously warned that ransomware remains one of the biggest cyber threats facing the UK and urges people and organisations not to pay ransoms if they are targeted.

Although LockBit may try to rebuild, Chris Morgan, analyst from cybersecurity firm ReliaQuest, said the law enforcement action was “a significant short-term blow”.

Chester Wisniewski, director director of global field CTO at cybersecurity firm Sophos, said the operation was a “huge win” for law enforcement, but warned that it was unlikely to have fully disrupted LockBit.

“LockBit rose to be the most prolific ransomware group since Conti departed the scene in mid-2022. The frequency of their attacks, combined with having no limits to what type of infrastructure they cripple has also made them the most destructive in recent years,” he said.

“Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement.

“We shouldn’t celebrate too soon though. Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.

“Even if we don’t always get a complete victory, imposing disruption, fuelling their fear of getting caught and increasing the friction of operating their criminal syndicate is still a win.

“We must continue to band together to raise their costs ever higher until we can put all of them where they belong: in jail.”

From news to politics, travel to sport, culture to climate – The Independent has a host of free newsletters to suit your interests. To find the stories you want to read, and more, in your inbox, click here.