More than 2,000 organizations in the West were attacked using software from the hacking group Lockbit. Now two suspected members of the group have been arrested. The criminals also apparently operated servers in Switzerland and Germany.
British postal service Royal Mail is also among Lockbit's victims. Pictured: A locked post box in London, January 24, 2024.
An international team of investigating authorities said it had dismantled the Lockbit hacker group. This was first reported by British law enforcement agency the National Crime Agency (NCA) on Tuesday morning.
Lockbit is accused of extorting thousands of companies and organizations using malware, stealing their data, encrypting it, publishing it and selling the data if a ransom is not paid.
According to a Europol statement, two suspected members of the group have now been arrested, one in Poland and the other in Ukraine.
Furthermore, more than 200 cryptocurrency wallets were frozen and 14,000 “rogue profiles” were blocked. The profiles, and the platforms on which they were hosted, were allegedly used by Lockbit members to store data stolen from the blackmailed organizations and to prepare and carry out attacks, IT portal Bleeping Computer wrote.
Europol communications also show that Lockbit also runs infrastructure in this country. 34 servers connected to the group were shut down, including systems in Germany, Switzerland, the Netherlands, Finland, Australia and the USA.
Investigators also published three international arrest warrants and five indictments against suspected Lockbit members. Two of the accused are known: Russians Artur Sunjato and Ivan Kondratiev, known by his nickname “Busterlord”.
“Operation Cronos” publishes the penalty order on the Lockbit website
Law enforcement agencies from ten Western countries worked together in the coup: Germany, Switzerland, France, Great Britain, the Netherlands, Sweden, USA, Canada, Australia and Japan. On the Swiss side, the Federal Police and the Zurich Cantonal Police participated in the investigation.
The investigation team called “Operation Cronos” also took control of the Lockbit dark web site. Reuters shared a screenshot of the dark web site that was taken over on Tuesday morning with the slogan: “Site now under police control.”
Reuters distributed a screenshot of a dark web page captured from Lockbit on the morning of February 20, 2024.
According to research by NZZ, investigators posted various reports on the Darknet website in the afternoon, including a punitive order for other Lockbit members and a recommendation for victims of cyber extortion to report to the police.
Screenshot of a dark web page captured from Lockbit on the afternoon of February 20, 2024.
“We have been infiltrated by hackers,” Graeme Biggar, director of Britain's National Crime Agency, said in a media statement.
It seems that the authorities do not have full control
It remains unclear how complete the authorities' control over Lockbit is. Three Lockbit services remain online, security researcher Kevin Beaumont wrote in a post on Mastodon on Tuesday morning. One service is still offering the stolen data for sale. NZZ was able to confirm this in its own research on the Darknet.
British television station Sky News also reported that a Lockbit representative said via an encrypted messaging app that the group had backup servers that were not affected by law enforcement. The claim cannot be verified.
The data can now be decrypted
Lockbit is one of the most important hacking groups in the world. Its software was used in more than 2,000 attacks, extorting $120 million, according to the US Department of Justice.
In 2022, Lockbit was the most widely used ransomware. Its most prominent victims include the British postal service Royal Mail and the French Ministry of Justice.
There is now hope for malware victims. According to Europol, authorities have created a tool that victims can use to decrypt their data. This can be accessed via the “No More Ransom” website.
According to British authorities, Lockbit appeared on Russian-language forums in 2019, leading some analysts to believe the group originated in Russia. On its dark web website, it listed its headquarters as the Netherlands and emphasized that it was apolitical and was only interested in money. However, one of the gang members, a 20-year-old Russian, was arrested in mid-2023.
Lockbit created a veritable ecosystem around its malware: the group sold the software to so-called affiliates, that is, partners who used it to carry out actual attacks on companies and authorities. In the case of successful attacks, affiliates paid Lockbit a 20 percent share of the ransom, according to a US indictment. So we are talking about ransomware as a service, i.e. extortion software as a service.
It may now be conceivable that Lockbit is trying to rebuild its criminal enterprise. The authorities are aware of this too. “Our work doesn’t end here,” said NCA President Biggar. But now we know who the actors are and how they work.
Update from February 20, 11 p.m.: An earlier version of this article mentioned a post on X about a message Lockbit allegedly addressed to its business partners. The mailer has revealed that this message is fake.
