Sikov - stock.adobe.com

Authorities Successfully Disrupt LockBit Ransomware Group

The US and UK disrupted LockBit ransomware group’s operations and developed decryption tools that may allow victims to restore systems infected by LockBit.

The US Department of Justice (DOJ) and UK authorities announced the disruption of the LockBit ransomware group at a press conference held in London on February 20. LockBit was a notorious ransomware group that claimed more than 2,000 victims and received upwards of 120 million in ransom payments in recent years.

As previously reported, LockBit was documented as one of the most prolific ransomware variants in 2022 and 2023. The ransomware-as-a-service (RaaS) group and its affiliates claimed responsibility for cyberattacks against US healthcare organizations and other organizations across the world.

The U.K. National Crime Agency’s (NCA) Cyber Division, along with the FBI and other international partners, successfully disrupted LockBit by seizing multiple public-facing websites used by LockBit and seizing control of servers used by LockBit administrators. As a result of these seizures, LockBit actors are unable to attack and encrypt networks further.

“Today’s actions are another down payment on our pledge to continue dismantling the ecosystem fueling cybercrime by prioritizing disruptions and placing victims first,” said Attorney General Lisa Monaco in a press release.

“Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs. But our work does not stop here: together with our partners, we are turning the tables on LockBit — providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe.”

In addition to providing decryption keys and disrupting operations, the DOJ unsealed an indictment against Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous US victims.

Sungatov allegedly deployed LockBit ransomware against a variety of victim corporations beginning in January 2021 and took steps to fund additional LockBit attacks against other victims. Both Sungatov and Kondratyev were believed to have been part of the global LockBit cybercrime network, through which they developed and deployed ransomware and extracted payments.

A total of five LockBit members have been charged in connection with the LockBit conspiracy as part of years-long effort to disrupt the group, the DOJ noted.

“Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world,” said FBI Director Christopher Wray.

“This operation demonstrates both our capability and commitment to defend our nation's cybersecurity and national security from any malicious actor who seeks to impact our way of life. We will continue to work with our domestic and international allies to identify, disrupt, and deter cyber threats, and to hold the perpetrators accountable.”

DOJ Disruptions Have Threat Actors Rethinking Cyberattacks

In light of the high volume of ruthless cyberattacks against critical infrastructure in recent years, the DOJ and its international partners have continuously raised the stakes and set an example for threat actors who try to disrupt critical services.

In January 2023, the DOJ successfully disrupted Hive ransomware group and was able to distribute more than 1,000 decryption keys to past Hive victims. In December 2023, the DOJ disrupted BlackCat ransomware group, which had previously claimed responsibility for attacks against Lehigh Valley Health Network and Henry Schein, a major distributor of healthcare products.

“We've seen multiple major law enforcement actions lately, which is sending shockwaves through the criminal community,” said Charles Carmakal, CTO at Mandiant Consulting.

“The impact of the law enforcement actions are reminiscent of some of the bold actions taken after the Colonial Pipeline incident in 2021. Many threat actors were genuinely concerned about getting arrested, since a lot of these operators have families and do this as their job. Some will reconsider whether the risk is worth it, given these actions.”

As the DOJ continues to go after notorious ransomware gangs, Carmakal predicted that some threat actors may scale back on their attacks or switch up their operating models to avoid repercussions.

“This is a righteous, serious blow against a malevolent actor that has caused financial losses and real suffering all over the world. We couldn’t hope for much more in terms of a disruption to ransomware operations,” added Sandra Joyce, VP at Mandiant Intelligence, Google Cloud.

“This is the model we hope to see more of moving forward. But before we lower our defenses we should remember that LockBit operates in a marketplace where competitors are waiting to take their place. Hopefully, they’ll receive the same treatment."

While experts agreed that this takedown was a major win in the ongoing fight against cyber threat actors, this is not the time to decrease defensive efforts.

“Although it is good news that the crypto money has been seized and two individuals have been arrested, it's not a sign that we should lower our defenses. There are still other gangs out there, there is still a lot of inconsistency between countries related to cybercrime, and there is still money in the game,” said Dirk Schrader, vice president of security research at Netwrix. 

“So, companies should not scale down their efforts to protect their data, identities, and infrastructure. Heed the advice that an ounce of prevention is better than a pound of cure. Make sure that you have your accounts protected using MFA, that privileges are reduced to the minimum needed to do the job and exist only just-in-time, that your systems are hardened, and your vital data is secured. We will see whether LockBit remains out of business, but for sure others are ready to fill the void.”

Next Steps

Dig Deeper on Cybersecurity strategies