The National Crime Agency has announced a joint-agency operation to disrupt the operations of LockBit, widely seen as the world’s most harmful cyber crime group. The NCA says that after infiltrating the group’s network, it has taken control of LockBit’s services, compromising its entire criminal enterprise.

LockBit has been in operation for four years and during that time, attacks utilising their ransomware have been prolific. LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure required to carry out attacks.

The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which it previously hosted, and threatened to publish, data stolen from victims. Instead, this site will now host information exposing the group’s capability and operations, which the NCA will be posting daily throughout the week.

The agency says it has also obtained the LockBit platform’s source code and a vast amount of intelligence from its systems about its activities and those who have collaborated and used its services to harm organisations throughout the world.

The NCA, in cooperation with the FBI and supported by international partners from nine other countries, has been covertly investigating LockBit as part of a dedicated taskforce called Operation Cronos.

LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down. In wider action coordinated by Europol, two LockBit actors have also been arrested in Poland and Ukraine, while over 200 cryptocurrency accounts linked to the group have been frozen.

Graeme Biggar, NCA Director General, said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners. Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity."

Jonathon Ellison, Director for National Resilience and Future Technology at the National Cyber Security Centre, said: “We welcome the disruptive action taken by the NCA and its partners against the LockBit ransomware operation, undermining cyber criminals’ ability to inflict harm in the UK and around the world.

“Ransomware is an acute and present danger to UK businesses and the damage that attacks cause can have a significant toll on finances, operations and reputations. We urge all organisations to follow the guidance on the NCSC website to help reduce their risk of falling victim and to ensure they are well-prepared to respond effectively if the worst happens.”

---