The most extraordinary week in ransomware history anyone can remember began on Feb. 19 with an historic takedown of the infrastructure used by notorious ransomware group, LockBit.
Industry watchers were euphoric, almost giddily so. If anything, that might be understating it. Twitter-X was ablaze with congratulations, most of them aimed at Britain’s National Crime Agency (NCA), which spearheaded the operation.
Allan Liska of Recorded Future (a former contributor to this site) even posted a picture of cupcakes his colleagues had delivered to their Boston office to celebrate the occasion.
But there was more. On the police seizure message on LockBit’s webpage, the police teased an even bigger revelation for Feb. 23—the identity of the group’s dark web admin.
Disappointingly, when the day and hour arrived, no name was forthcoming. However, what was revealed was still intriguing; the group’s infamous dark web admin “LockBitSupp” was male, drove a Mercedes, and had “engaged with law enforcement.”
We don’t know how significant this is. Do the authorities know his name or only some details of his life? In what sense has he “engaged” and does it even matter given the disruption to the group’s platform?
What Happened?
The technical explanation:
“The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise,” said NCA partner Europol in its release.
In other words, the gang’s websites, including command and control and dark web leak sites (34 in total) were seized, effectively putting LockBit offline. Helpfully, victims of LockBit can now download a decryption tool to regain access to their encrypted files.
At least two arrests were also made while international warrants were issued for three others. Others might soon follow, sending the message to affiliates and hangers-on that they are not safe when they use this group’s platform.
Tables Turned
The police announcement was far from the standard cybercrime takedowns, which are normally sober, almost bureaucratic affairs. It was as if the public humiliation was intended to smash the credibility of the platform and the people running it for good.
On that score, the NCA and its partners will see the operation as a success even as LockBit tries to resurrect itself. The group’s reputation for resilience and professionalism has long preceded it. If the authorities can compromise this, they can probably do the same to other, still-operating ransomware groups.
It’s hard not to see this as a major psychological blow for a group responsible for numerous big ransomware attacks in the last four years, including the Royal Mail, Boeing, Capital Health, and CRM company Atento. The incident will also be analyzed for lessons by other ransomware groups.
What’s striking is that this is the latest in a quickening pace of ransomware group disruptions in the last year that includes Ragnar Locker in October and the major ALPHV/BlackCat group in December.
That’s on top of Rhysida ransomware (responsible for the attack on the British Library) recently having its keys cracked, and RansomedVC shutting down in November.
Ransomware has long operated with impunity. If nothing else, perhaps that at least has now gone for good.
