Categories: CyberCrimeSecurity

Two Arrested In LockBit Ransomware Gang Takedown

Law enforcement arrested two actors in the LockBit ransomware gang in Poland and Ukraine on Tuesday morning, according to the UK National Crime Agency (NCA), which said authorities had disrupted the gang’s “entire criminal enterprise”.

The NCA worked with the FBI, Europol and law enforcement from nine other countries on the operation, called Cronos, authorities said.

Over the past 12 hours the infrastructure for LockBit’s bespoke data exfiltration tool, called Stealbit, has been seized by members of the task group across three countries, the NCA said.

Some 28 servers belonging to LockBit affiliates have also been taken down, the NCA said.

‘Thousands of victims’

LockBit, which came to prominence in 2020 and 2021, was set up as a ransomware-as-a-service model in which affiliate hackers use its tools and infrastructure to carry out attacks.

A study last month found it was last year’s most prolific ransomware group, with past targets including Boeing, Royal Mail Group and the City of Oakland.

“LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery,” the NCA said.

The group typically encrypted targets’ networks and also stole sensitive data, charging a double ransom to unlock the systems and refrain from publishing the data.


The NCA said it planned to publish a series of daily information articles on the site LockBit used to publish stolen data, which the NCA seized late on Monday.

The agency said it found data on LockBit’s systems belonging to targets that had paid a ransom, showing that the group had not deleted the data as promised.

In a wider action coordinated by Europol, two LockBit actors were arrested in Poland and Ukraine on Tuesday morning and more than 200 cryptocurrency accounts linked to the group were frozen.

The US Department of Justice said two defendants who acted as LockBit affiliates have been criminally charged, are in custody and are to face trial in the US.

Decryption keys

The US unsealed indictments against two further individuals, Russian nationals, for conspiring to commit LockBit attacks.

The NCA has obtained more than 1,000 decryption keys and said it would be contacting UK-based targets in the coming days and weeks to help them recover encrypted data, with the FBI and Europol assisting targets elsewhere.

“No criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners,” NCA director general Graeme Biggar said.

He acknowledged that the hackers may seek to rebuild their enterprise. “However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them,” Biggar said.

Server backups

An account used by LockBit’s operators said on Monday that the group had “backup servers without PHP” that “can’t be touched” by law enforcement.

Agencies apparently used a PHP exploit to attack the group’s servers.

Europol said 34 LockBit servers had been taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.

“This infrastructure is now under law enforcement control, and more than 14,000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement,” Europol said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

China Tells Telecom Carriers To Phase Out Foreign Chips – Report

Tit-for-tat. Another blow for Intel and AMD in China, after Beijing orders telecom carriers to…

1 day ago

Sam Bankman-Fried Appeals FTX Fraud Sentence Of 25 Years

Disgraced crypto billionaire and former FTX CEO Sam Bankman-Fried appeals 25 prison sentence for masterminding…

1 day ago

UK Regulator Flags Competition Risks Of AI Foundation Models

British competition regulator has “real concerns” regarding AI foundation models controlled by small number of…

1 day ago

Micron Notes DRAM Supply Hit After Taiwan Earthquake

Concerns realised. Memory maker Micron admits hit to DRAM supply following Taiwan's biggest earthquake in…

2 days ago

US Senator Hints At TikTok Divestiture Deadline Extension

China's ByteDance may be given up to a year to divest itself of TikTok, used…

2 days ago