Law Enforcement Seizes LockBit Ransomware Infrastructure

hacking hacker security

Law enforcement agencies including UK NCA and FBI take down thousands of sites belonging to prolific LockBit ransomware hackers

Law enforcement agencies including the UK’s National Crime Agency (NCA) have disrupted operations of the LockBit ransomware group, one of the world’s most high-profile hacking gangs, whose targets have included Royal Mail Group, Boeing, automotive giant Continental, Bangkok Airways and the Industrial & Commercial Bank of China.

The main site previously used by LockBit to publish stolen data – a tactic it used to extort funds from targets – now displays an image saying that the site is under the control of law enforcement.

“This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the image reads.

“We can confirm that LockBit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation,” it continues.

lockbit 02

Site seizure

The page displays the badges of 16 law enforcement agencies, including the NCA, the FBI, the US Department of Justice and Europol.

“The NCA can confirm that LockBit services have been disrupted as a result of international law enforcement action. This is an ongoing and developing operation,” the NCA said in a statement provided to Silicon UK.

The operation, which took place in recent days, included the participation of agencies from 11 countries and seized 11,000 domains used by LockBit and its affiliates to facilitate ransomware, an FBI representative told Bloomberg.

The operation disrupted LockBit’s infrastructure and targeted its malware deployment system, the representative said.

PHP exploit

The participating agencies released more details later on Tuesday, saying two arrests had been made.

Some of LockBit’s other servers, such as those used to host data or send private messages to the gang, are still operating, BleepingComputer reported.

Domains used by LockBit to negotiate ransoms were amongst those that appeared to have been disabled, the site said.

The FBI may have used a PHP exploit to disrupt the servers, according to an account status message on the Tox messaging service account LockBitSupp, which is used by the threat actors operating LockBit.

‘Have a nice day’

“FBI f****d up servers via PHP, backup servers without PHP can’t be touched,” the status message said in Russian, according to computer security research website vx-underground.

The control panel provided to LockBit affiliates – the hackers that use LockBit’s tools and infrastructure to carry out ransomware attacks – has also been taken down, according to vx-underground.

The panel now displays a message from law enforcement saying LockBit’s source code and details on affiliates’ activities, including who they have attacked, the amount of funds extorted, the data stolen, chats “and much, much more” have been seized.

“You can thank LockBitSupp and their flawed infrastructure for this situation,” the message reads, according to a screenshot shared by vx-underground. “We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the UK, the FBI, Europol, and the Operation Cronos Law Enforcement Task Force.”

Prolific hackers

LockBit came to prominence in 2021 and was the most active ransomware group in 2023, according to a study published last month, which found ransomware activity rose 128 percent over 2022.

The US Cybersecurity and Infrastructure Security Agency (CISA) said last June that LockBit had extorted at least $91 million (£72m) from US organisations alone in up to 1,700 attacks since 2020.

William Wright, chief executive of Closed Door Security, said it was understandable that the NCA would want to play a prominent role in taking down LockBit due to disruption to Royal Mail and other high-profile attacks.

He warned the takedown “may not spell absolute demise of LockBit”.

“The attackers could resurface under new branding as we have seen with DarkSide to BlackMatter to BlackCat, and many others,” he said.