A sweeping law enforcement operation led by the U.K.’s National Crime Agency this week took down LockBit, the notorious Russia-linked ransomware gang that has for years wreaked havoc on businesses, hospitals, and governments around the world. The action saw LockBit’s leak site downed, its servers seized, multiple arrests made, and U.S. government sanctions applied in what is one of the most significant operations taken against a ransomware group to date.
Key Takeaway
The takedown of LockBit has revealed crucial insights into the operations of ransomware groups, including the non-deletion of data even after ransom payment, vulnerabilities in their own systems, and the extensive efforts required for law enforcement to dismantle such criminal operations.
Non-Deletion of Data Despite Ransom Payment
It’s long been suspected that paying a hacker’s ransom demand is a gamble and not a guarantee that stolen data will be deleted. The NCA revealed that some of the data found on LockBit’s seized systems belonged to victims who had paid a ransom to the threat actors, “evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the NCA said in a statement.
Ransomware Gangs’ Vulnerabilities
Even ransomware gangs are slow to patch software bugs. According to malware research group vx-underground, law enforcement hacked into the ransomware operation’s servers using a known vulnerability in the popular web coding language PHP. This highlights the negligence of ransomware groups in addressing critical security flaws.
Lengthy Takedown Process
The LockBit takedown, known officially as “Operation Cronos,” was years in the making, according to European law enforcement agency Europol. The agency revealed that its investigation into the notorious ransomware gang began in April 2022, some two years ago at the request of French authorities. This emphasizes the extensive time and resources required for law enforcement to dismantle such criminal operations.
Scale of LockBit’s Impact
Tuesday’s operation confirmed that LockBit has hacked more than 2,000 organizations, with over 2,000 victims in the U.S. and worldwide, and received more than $120 million in ransom payments. These numbers underscore the widespread impact and financial gains of the LockBit ransomware gang.
Sanctions’ Ripple Effect on Ransomware
The sanctions targeting a key LockBit member may affect other ransomware groups, as the indicted individual has ties to multiple ransomware variants. The sanctions effectively ban U.S.-based victims of Kondratiev’s ransomware from paying him the ransoms he demands, potentially disrupting the operations of other ransomware groups associated with him.
British Authorities’ Sense of Humor
The LockBit sting has shown that the U.K. authorities have a sense of humor, as they made a mockery of LockBit by mimicking the gang’s dark web leak site for its own LockBit-related revelations. Various Easter eggs hidden on the now-seized LockBit site further emphasize the light-hearted approach taken by the authorities in the face of serious cybercrime.