LockBit could be done and dusted after NCA operation gained access to admin environments, source code, and affiliate info

LockBit website law enforcement takedown notice featuring FBI, NCA, and Europol logos.
(Image credit: Future)

Ransomware group LockBit's operations appear to have been severely disrupted following a law enforcement sting, making it the latest major cyber criminal gang to fall prey to authorities. 

A notice posted to the group’s site on Monday evening claimed it was “now under control of law enforcement”, adding that the UK’s National Crime Agency (NCA), the FBI, and international partners were responsible.

“We can confirm that LockBit’s operations have been disrupted as a result of international law enforcement action,” the notice read. “This is an ongoing and developing operation”

LockBit takedown saw NCA access group's networks

According to the NCA, an extensive operation involving international partners saw the law enforcement agency infiltrate the group’s network. 

The agency said it has “taken control of LockBit’s services, compromising their entire criminal enterprise”.

This includes LockBit’s primary administration environment, the agency said, which allows affiliates to build and carry out attacks, as well as its public-facing leak site.

In addition, the NCA revealed its has also obtained LockBit’s platform source code, as well as a “vast amount of intelligence from their systems about activities and those who have worked with them”.

“Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised," the NCA said in a statement.

Arrests have been made off the back of the operation, the NCA confirmed. As part of a wider action coordinated by Europol, two LockBit actors have been arrested in Poland and Ukraine, and over 200 cryptocurrency accounts linked to the group have been frozen.

LockBit has skyrocketed to notoriety in recent years, becoming one of the most prolific groups since first emerging in 2020. Operating under a ‘ransomware as a service’ model, LockBit has wreaked havoc against organizations spanning both the public and private sectors.

Last year, the gang claimed responsibility for the devastating attack on Royal Mail which severely disrupted operations for weeks.

Security agencies worldwide, including the UK’s National Cyber Security Centre (NCSC) have issued repeated warnings over the threat posed by LockBit.

Analysis from ZeroFox in December 2023 showed the group represents the “most significant threat” to organizations in the UK. Similarly, LockBit attacks accounted for around 30% of all global ransomware and digital extortion (R&DE) attacks in the first quarter of 2023.

Don’t hold your breath on the LockBit takedown

Chester Wisniewski, director and global field CTO at cyber security firm Sophos said the move is a “huge win for law enforcement”, but questioned whether the takedown will have a lasting impact on the group. 

In a statement issued by LockBit in the wake of the takedown, the group insisted it still maintains backups, suggesting it could resurface. 

“Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement,” he said.

“We shouldn't celebrate too soon though. Much of their infrastructure is still online, which likely means it is outside the grasp of the police and the criminals have not been reported to have been apprehended.”

Drawing parallels to the Qakbot takedown in August 2023, Wisniewski said the law enforcement action still marks a significant moment for law enforcement in the battle against ransomware groups.

“Even if we don't always get a complete victory, like has happened with Qakbot, imposing disruption, fueling their fear of getting caught and increasing the friction of operating their criminal syndicate is still a win. We must continue to band together to raise their costs ever higher until we can put all of them where they belong – in jail.”

Tim West, director for threat intelligence and outreach at WithSecure, echoed Wisniewski's comments, adding that LockBit has proven itself to be highly resilient in the wake of previous incidents. 

"LockBit have proven themselves in the past to be a resilient ransomware variant, surviving major leaks and rebrands, we do not yet know the impact that these takedowns will have on operations," he said. "LockBit themselves are claiming that only servers running PHP elements were impacted, data is safe and backup servers were unaffected which, if true, will probably mean LockBit (as well-resourced actors) can recover fairly swiftly.

"This being said, commentary from European Law Enforcement describes a comprehensive seizure of all infrastructure required to run the ransomware operation. A staggered release of data on LockBit's own leak site is not only extremely embarrassing for LockBit, but also may suggest they themselves do not know the extent of the action taken."

LockBit isn’t the only major ransomware group to have been subject to law enforcement action in recent months.

In December 2023, US authorities seized the ALPHV/BlackCat dark web leak site as part of an operation to take down the gang.

The Department of Justice revealed the operation, which involved law enforcement agencies from the UK, Germany, Denmark, Spain, and Australia, seized “several websites” operated by the ransomware group.

The operation enabled law enforcement to “gain visibility” into the ransomware group’s computer network, the FBI said at the time, and a decryption tool for those impacted by the group was released.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.