Updated Feb 20, 2024 - Technology

FBI, police partners take down most prolific ransomware gang to date

Screenshot of a notice on the LockBit ransomware gang's dark web site

Screenshot: The law enforcement notice that appeared on the LockBit ransomware gang's website on Feb. 19.

International law enforcement agencies have arrested two members of the notorious ransomware gang LockBit and seized the group's web infrastructure as part of a wide-reaching takedown operation, officials said Monday.

Why it matters: LockBit is one of the most prolific and active ransomware gangs. Taking down its operations is a huge win for law enforcement and cyber defenders fighting ransomware.

  • Most recently, LockBit has claimed responsibility for a ransomware attack on Georgia's Fulton County that has disrupted key county services for weeks.

What's happening: As part of "Operation Cronos," a group of law enforcement agencies arrested two LockBit members in Poland and Ukraine, took down 34 data servers and froze more than 200 cryptocurrency accounts, according to Europol.

  • Four of those servers were in the U.S., Brett Leatherman, deputy assistant director of the FBI's cyber division, said in remarks Tuesday.
  • The announcement came after law enforcement also replaced LockBit's dark-web leak site — where the hacking group publicly lists its victims who haven't paid a fee to unlock their systems after a cyberattack — with a notice on Monday.
  • "This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force [on] 'Operation Cronos,'" according to the notice seen by Axios.

What they're saying: "Today's announcement is only the beginning," Leatherman said.

  • "We'll continue gathering evidence, building out our map of LockBit developers, administrators, and affiliates, and using that knowledge to drive arrests, seizures, and other operations, whether by the FBI or our partners here and abroad."

Of note: Law enforcement has created a decryption tool that LockBit victims can use to unlock their systems without paying a ransom.

  • The tool is available in 37 languages and has already helped more than 6 million victims worldwide, Europol said.

The big picture: LockBit was the most deployed ransomware variant across the world in 2022, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

  • LockBit ran on a so-called ransomware-as-a-service model: Its operators developed file-encrypting malware that freelance hackers would use in their own schemes.
  • If the attack was successful, the operators would receive a cut of the proceeds.
  • Hackers have used LockBit's ransomware strain in attacks on thousands of organizations, including those targeting chipmaker TSMC, Accenture and a Foxconn subsidiary.

Between the lines: LockBit was one of the last remaining ransomware-as-a-service offerings, and hundreds of affiliate hackers have worked with it, Allan Liska, a ransomware expert at Recorded Future, told Axios.

  • "This is a significant disruption in the ransomware ecosystem," Liska said. "Even if the ringleaders associated with LockBit are not arrested, it likely means a temporary slowdown in ransomware attacks."

The intrigue: LockBit's operators are believed to be based in Russia, making arrests difficult to pull off.

  • The State Department is now offering up to $15 million to anyone who has information about LockBit associates, per Leatherman.

Yes, but: Ransomware gangs are known for their adaptability and willingness to rebuild and rebrand after law enforcement actions.

Editor's note: This story has been updated with new developments and details throughout.

Go deeper