LockBit, the infamous ransomware group with ties to Russia that has devastated companies, hospitals, and governments worldwide for years, was brought down this week by a massive law enforcement investigation coordinated by the National Crime Agency of the United Kingdom.
In one of the biggest operations against a ransomware gang to date, LockBit’s leak site was knocked offline, and its servers were seized. Additionally, two LockBit actors were arrested in Poland and Ukraine, the group’s more than 200 bitcoin accounts have been blocked, and two more Russian nationals accused of carrying out LockBit attacks became targets of U.S. sanctions.
According to the U.S. Department of Justice (DoJ), Artur Sungatov and Ivan Gennadievich Kondratiev (also known as Bassterlord) were accused of using LockBit against a number of victims across the United States, including companies across the country in the manufacturing and other industries as well as victims globally in the semiconductor and other industries.
Kondratyev is facing three felony charges related to his alleged usage of the Sodinokibi, or REvil, ransomware version to extort a ransom payment from a corporate victim situated in Alameda County, California, as well as encrypt data and exfiltrate victim information.
According to US Attorney General Merrick Garland, LockBit was one of the world’s most prolific ransomware groups, accountable for over 2,000 victims and $120 million in extortion payments.
“Actions like today’s would not be possible without victims reporting their ransomware attacks to law enforcement,” he said in a statement. “LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be last.”
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity,” NCA Director General Graeme Biggar stated in the announcement. “Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
Operation Cronos is the third multinational effort in less than a year against notorious ransomware groups. The FBI said in June that it had penetrated the infrastructure of the Hive ransomware group and taken down its network. More than 1,000 decryption keys were acquired by the authorities, helping the victims and stopping the payment of almost $130 million in ransom.
In December, the feds stated that they had disrupted the Alphv/BlackCat ransomware group with the aid of a confidential informant. Law enforcement authorities took control of many websites and created a decryption tool to help victims get their data back.
