Handcuffs on a keyboard showing law enforcement operation on Lockbit ransomware group

International Law Enforcement’s “Operation Cronos” Snags LockBit Ransomware Group’s Leak Site, Crypto Wallets and Decryption Keys

An international law enforcement operation appears to have significantly disrupted the capabilities of the LockBit ransomware group, one of the biggest internet-based criminal hacking organizations in the world.

The group’s leak site, used to extort victims, now shows a message indicating it has been seized by the National Crime Agency of the UK (NCA). The gang’s ransom negotiation sites have also gone offline, but some of its other dark web components remain operational.

NCA, FBI strike a blow to LockBit ransomware group

On Tuesday the NCA, US Justice Department and FBI announced the seizure of “numerous” public-facing websites and administrator servers used by the LockBit ransomware group as part of an action called “Operation Chronos.” US Attorney General Merrick B. Garland also told the media that the Justice Department had obtained decryption keys and would be distributing them to victims.

Two indictments were also made public, for two Russian nationals by the names of Artur Sungatov and Ivan Kondratyev. The pair are allegedly longtime members of the LockBit ransomware group wanted by law enforcement for attacking targets in the US. The indictment also names two other Russian nationals, Mikhail Pavlovich Matveev and Mikhail Vasiliev, as conspirators that also participated in ransomware deployment against US organizations. Two search warrants were also issued in the District of New Jersey for servers used by LockBit administrators to host the group’s “StealBit” platform, deployed to exfiltrate and transfer victim data in the wake of breaches.

The UK NCA has control of the LockBit ransomware group’s data leak site, but the condition of the rest of its operation remains in question. The ransom negotiation sites used to directly extort victims and the affiliate panel are offline, but it remains unclear exactly how much of the infrastructure is under law enforcement control. Other portions of the LockBit dark web network, such as its internal messaging server and the site used to host stolen data, appear to still be functional and under the group’s control.

Indictments of Russian nationals tend to have limited effect, given the need for the Russian government to cooperate in apprehension and extradition. Surprises have happened before, most notably the raids by the Putin government on notorious group REvil in early 2022 that took place just after the outset of the Ukraine invasion. The FSB said that it acted on requests from the US government, stemming from REvil’s role in brazen 2021 attacks on critical infrastructure. Russian law enforcement raided 25 locations across the country and made numerous arrests of group members, essentially putting a permanent end to it. However, this is far from a likely outcome.

The best shot law enforcement has at picking these individuals up is catching them in transit through other countries. Two of the LockBit ransomware group members have been arrested in this way, one in Poland and the other in Ukraine.

Law enforcement causes serious disruption, but LockBit not dead yet

The mysterious leader of the LockBit ransomware group, who goes by the handle “LockBitSupp” and communicates with the public via the Tox messaging service, confirmed that the FBI used a PHP exploit to breach the gang’s servers.  But so long as key operators are free and some infrastructure exists for them to use, the gang cannot be assumed to be out of commission.

The news is good for more recent victims, however, with law enforcement reporting seizure of about 200 of the group’s crypto wallets and over 1,000 decryption keys that unlock instances of the “LockBit 3.0” ransomware. The US State Department has announced that it is offering rewards of $10 million for information that leads to LockBit ransomware group leadership and $5 million for leads on anyone that has participated in one of the group’s attacks.

However, Dr Ilia Kolochenko (CEO and Chief Architect at ImmuniWeb) observes that this might not be such a positive development for organizations that paid LockBit a ransom and then failed to report it under mandatory regulations: “What is interesting is whether law enforcement agencies will pass the information about victims, data breaches and paid (or non-paid) ransoms to other national authorities to probe the victims of LockBit. For instance, the US OFAC has been reiterating that paying ransom may violate sanctions and now has a good opportunity to review all payments made to LockBit. Likewise, national DPAs in Europe may also wish to compare a list of data breaches reported by victims and the breaches for which a ransom was paid to LockBit. This may eventually lead to investigations against breached companies who silently paid a ransom to conceal a data breach, without reporting it anywhere as required by law.”

And Victor Acin, Head of Threat Intel at Outpost24, notes that more seizures need to be confirmed before it can be assumed that the group is out of business: “According to this latest news, it appears that law enforcement has managed to only take down the Data Leak site thus far. Although this might have affected the affiliate infrastructure of LockBit, meaning affiliates have no place to upload the data they encrypt, or to negotiate with the clients, I believe it will be easy to reproduce if the members of LockBit haven’t been arrested. As Lockbit is one of the most prolific ransomware gangs and therefore most likely one of the biggest bread winners out there, a takedown such as this will not stop them.”

“Operation Cronos” was reportedly initiated in April 2022 by Eurojust, showing the long-term commitment and seriousness with which international law enforcement has been approaching the biggest ransomware operators in recent years. The fruits of these efforts may take some time, but the players at the top of the food chain have consistently been taken out since Darkside and REvil crossed red lines with their critical infrastructure attacks in 2021.

While this is a very positive development, the usual end result of a breakup of a major ransomware group is that the operators based in Russia (or allied countries such as Belarus) are left to simply reform under a new name that has less heat on it. The LockBit ransomware group was one of the most successful from 2020 to present, racking up over 2,000 victims and receiving over $120 million in payments. Having attacked everything from Italy’s Internal Revenue Service to the UK’s Royal Mail, its members are committed career criminals at this point and will likely be looking to get right back in the game as soon as they can.

As Ray Carney, Director of Security Response and Zero-Day Research at Tenable, observes: “LockBit is a very successful criminal enterprise. Like any large revenue generating enterprise, LockBit likely had established contingency plans in place. It’s widely believed that LockBit operates out of Russia, and as such they almost certainly operate with some degree of state protection and support. They won’t take their ball and go home over this.”

Toby Lewis, Global Head of Threat Analysis at Darktrace, agrees that LockBit will be back but thinks that the reputational blow will slow down the threat actors for some time: “Although a partial takedown of the world’s most prolific ransomware gang is a huge win for global law enforcement, it likely won’t be fatal for LockBit. It’s probable we’ll see them go underground to regroup, re-tool and come out again, swinging. One interesting aspect, however, is LockBit’s reputation. Their affiliate model means reputation matters and LockBit may struggle to retain credibility following this shut down, even if they attempt a re-launch. They’ll likely do what any business would do – rebrand.”