Legal Crackdown on Lockbit ransomware

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

There has been a massive crackdown on the Lockbit ransomware operator. Enforcement agencies have jointly carried out the crackdown from multiple countries. We look at the details of this crackdown below.

  • The law enforcement agencies have seized Lockbit’s infrastructure. Lockbit domains carry a legal seizure notice.
  • Over 1000 decryption keys have been recovered in the operation. These should help in the recovery of encrypted data.
  • The legal crackdown was part of an international operation involving the FBI and law enforcement agencies in Canada, Australia, France, Germany, Switzerland, Sweden, Finland, the Netherlands, Japan, and Europol.
  • This showdown has resulted in two arrests, more than 200 cryptocurrency accounts being frozen, the takedown of 34 servers, and the closure of 14,000 rogue accounts. 
  • Two Lockbit affiliates based in Poland and Ukraine were arrested.
  • The FBI and French authorities have also released three international arrest warrants and five indictments.
  • Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.

This legal crackdown seems to have been led by UK based enforcement agency NCA or the National Crime Agency. In its disclosure, the NCA has released valuable comments about the crackdown, its impact and the future impact on Lockbit’s operations.

  • The NCA led the covert operation to target Lockbit infrastructure under the Operation Cronos.
  • The NCA has commented – “LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.
  • The Europol has arrested two LockBit actors in Poland and Ukraine.
  • Over 200 cryptocurrency accounts linked to the Lockbit ransomware group have been frozen.
  • The NCA has obtained over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data. The FBI and Europol will support victims of Lockbit in other countries.

The NCA described the impact of the Operation Cronos.

UK’s National Crime Agency Director General, Graeme Biggar said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

This is an interesting reading.

  • The Lockbit infrastructure was hacked into by the NCA using a ‘Remote Code Execution’ vulnerability in Lockbit’s servers.
  • The said vulnerability affected PHP servers.
  • The RCE vulnerability is CVE-2023-3824. It is a CRITICAL vulnerability with a CVSS score of 9.8. You can read more about it on the GitHub site.
  • In PHP version 8.0.* before 8.0.30,  8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE. 

Lockbit has been around for the past 4 years. It is considered one of the strongest ransomware operators in the world.

LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. 

The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure required to carry out attacks.

When a victim’s network was infected by LockBit’s malicious software, their data was stolen and their systems encrypted. A ransom would be demanded in cryptocurrency for the victim to decrypt their files and prevent their data from being published.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.