LockBit is one of the most deployed ransomware globally. This hacking group has compromised thousands of entities, spanning financial institutions, logistics companies, and healthcare organizations. These victims are now backed by an international law enforcement task force called Operation Cronos.
On February 20, the National Crime Agency (NCA) of the UK, alongside the Federal Bureau of Investigation (FBI), declared the neutralization of the LockBit cybercriminal syndicate. This breakthrough is a critical stride in curtailing online fraud.
The operation enabled authorities to:
Additionally, arrests were made in Poland and Ukraine, capturing two suspects. The future of other LockBit affiliates remains uncertain, with some under U.S. sanctions and others residing in russia, the true identity of the group's mastermind still unverified.
Russian citizen Ivan Kondratiev, aka "Bassterlord," is suspected to be the orchestrator behind LockBit. His connections extend to other hacking factions like REvil, RansomEXX, and Avaddon, and it's speculated he may also collaborate with russia's Federal Security Service.
Prominent victims of LockBit include the British Royal Mail, Boeing, the Industrial and Commercial Bank of China (ICBC), and the law firm Allen & Overy.
On November 10, two weeks after the initial leak claim, LockBit disclosed all 43 GB of data it had on Boeing, including software configuration backups and logs from monitoring and audit tools. Although Boeing confirmed the cyberattack, it did not provide further details about the incident.
Taiwan Semiconductor Manufacturing Company (TSMC). In June 2023, the world's largest semiconductor manufacturer confirmed a data breach after LockBit listed the company among its victims. The hackers demanded $70 million for the return of the data.
The breach didn't occur directly at TSMC but through a hack of one of its IT service providers, Kinmax Technology. This cyberattack potentially affected Nvidia as well; however, unlike TSMC, the tech giant did not confirm any data leak.
Royal Mail. In January 2023, British postal service Royal Mail fell victim to a data leak by LockBit, causing severe disruptions to international mail services.
About three weeks after the incident, LockBit disclosed negotiation details with Royal Mail, revealing a ransom demand of $80 million for the safe return of the stolen data. The postal service refused to pay.
Royal Mail's semi-annual financial reports, published in the fall of 2023, showed a 5% decrease in international parcel volumes due to the LockBit incident. Additionally, infrastructure costs rose by 5.6% over the same period, with the estimated damage cost around $12.4 million.
The initiative to dismantle LockBit began in April 2022, prompted by the French authorities. At the time, France was the fifth most targeted country by ransomware attacks, following the USA, UK, Canada, and Germany.
The seizure of LockBit's infrastructure revealed extensive details about the gang's operations. Besides information on the fate of the stolen data, law enforcement clarified that over 2,000 organizations fell victim to LockBit, with total ransoms amounting to $120 million.
A distinctive feature of Operation Chronos was its psychological impact on LockBit members. For example, the website was hacked in stages: on February 19, an announcement and countdown timer appeared, and by February 20, authorities exposed the "inner workings" of the hackers. Additionally, law enforcement efforts undermined the reputation of the group's leader, LockBitSupp, hinting at plans to reveal their real identity.
Furthermore, this hacker issued a warning about taking retaliatory measures and indicated that government sectors would be their next target. The NCA countered by promising to disclose details about LockBitSupp and announced a $10 million reward for information that could help identify the hacker.
From LockBitSupp's communication, it appears they are unfazed by law enforcement efforts:
While taking a hacker at their word is risky, LockBitSupp's statement suggests that law enforcement only acquired a handful of decoders, apprehended the wrong individuals, and failed to shut down all the websites under the group's control. If this assertion holds, LockBit might similarly rebrand itself, suggesting that authorities might spend additional years attempting to completely dismantle the LockBit network.
The LockBit saga is likely far from over. To stay informed about the latest developments in Operation Chronos and other cutting-edge news in the realms of cryptocurrency and technology, keep an eye on our X account.
The operation enabled authorities to:
- Seize control over the gang's primary website;
- Shut down 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK;
- Freeze 200 cryptocurrency wallets linked to LockBit;
- File charges against five of its members.
Additionally, arrests were made in Poland and Ukraine, capturing two suspects. The future of other LockBit affiliates remains uncertain, with some under U.S. sanctions and others residing in russia, the true identity of the group's mastermind still unverified.
What is LockBit?
LockBit operates as a cybercrime gang, offering either a development kit or ready-to-use software designed to hijack or restrict data access, demanding a ransom in return. The scale of its user base is unclear, but likely involves hundreds of global affiliates.
The modus operandi of ransomware programs. Source: akamai.com
Established in 2019 and originally dubbed "ABCD" for the ".abcd" extension used in encrypting the victims' files, LockBit quickly escalated to become the most prevalent ransomware in existence, targeting entities in the US, China, India, Ukraine, and the EU.
Russian citizen Ivan Kondratiev, aka "Bassterlord," is suspected to be the orchestrator behind LockBit. His connections extend to other hacking factions like REvil, RansomEXX, and Avaddon, and it's speculated he may also collaborate with russia's Federal Security Service.
Prominent victims of LockBit include the British Royal Mail, Boeing, the Industrial and Commercial Bank of China (ICBC), and the law firm Allen & Overy.
Major LockBit Incidents
Boeing. In October 2023, hackers acquired "a vast amount" of confidential data from aerospace giant Boeing and demanded a ransom. Boeing chose to ignore the demand, leading LockBit to release some of the internal information.
On November 10, two weeks after the initial leak claim, LockBit disclosed all 43 GB of data it had on Boeing, including software configuration backups and logs from monitoring and audit tools. Although Boeing confirmed the cyberattack, it did not provide further details about the incident.
Taiwan Semiconductor Manufacturing Company (TSMC). In June 2023, the world's largest semiconductor manufacturer confirmed a data breach after LockBit listed the company among its victims. The hackers demanded $70 million for the return of the data.
The breach didn't occur directly at TSMC but through a hack of one of its IT service providers, Kinmax Technology. This cyberattack potentially affected Nvidia as well; however, unlike TSMC, the tech giant did not confirm any data leak.
Royal Mail. In January 2023, British postal service Royal Mail fell victim to a data leak by LockBit, causing severe disruptions to international mail services.
About three weeks after the incident, LockBit disclosed negotiation details with Royal Mail, revealing a ransom demand of $80 million for the safe return of the stolen data. The postal service refused to pay.
Royal Mail's semi-annual financial reports, published in the fall of 2023, showed a 5% decrease in international parcel volumes due to the LockBit incident. Additionally, infrastructure costs rose by 5.6% over the same period, with the estimated damage cost around $12.4 million.
Operation Cronos
On February 20, participants of Operation Chronos, which includes the NCA, FBI, Europol, and other law enforcement bodies, announced the takedown of LockBit. The operation's name likely references the Greek myth of Cronos, the ruler of the Golden Age, though, unlike the myth where Cronos ends up imprisoned, many LockBit members remain at large.
The initiative to dismantle LockBit began in April 2022, prompted by the French authorities. At the time, France was the fifth most targeted country by ransomware attacks, following the USA, UK, Canada, and Germany.
Ransomware Attack Statistics by Country for 2023. Source: malwarebytes.com
LockBit's French victims included:
- La Poste Mobile: Even though the ransom was negotiated down from $1.4 million to $300,000, the mobile operator refused to cooperate with the hackers, leading LockBit to leak data on over 1.5 million users.
- Centre Hospitalier Sud Francilien: Following an attack on this Parisian medical facility, LockBit demanded a $10 million ransom. Upon refusal, the hackers leaked patient data, including health conditions and examination reports.
- Thales Group: LockBit leaked sensitive data affecting Thales' contracts and partnerships in Malaysia and Italy.
The seizure of LockBit's infrastructure revealed extensive details about the gang's operations. Besides information on the fate of the stolen data, law enforcement clarified that over 2,000 organizations fell victim to LockBit, with total ransoms amounting to $120 million.
A distinctive feature of Operation Chronos was its psychological impact on LockBit members. For example, the website was hacked in stages: on February 19, an announcement and countdown timer appeared, and by February 20, authorities exposed the "inner workings" of the hackers. Additionally, law enforcement efforts undermined the reputation of the group's leader, LockBitSupp, hinting at plans to reveal their real identity.
What's the Current Situation with LockBit?
Despite their website being compromised, LockBit quickly rebounded, establishing a new platform to continue their operations within just five days. LockBitSupp, the group's leader, made a public statement dismissing the impact of Operation Chronos on their non-PHP servers.
Furthermore, this hacker issued a warning about taking retaliatory measures and indicated that government sectors would be their next target. The NCA countered by promising to disclose details about LockBitSupp and announced a $10 million reward for information that could help identify the hacker.
From LockBitSupp's communication, it appears they are unfazed by law enforcement efforts:
No FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work. They want to scare me because they cannot find and eliminate me, I cannot be stopped.
Examining the potential future for LockBit, we can look at previous instances where ransomware groups like Hive and Conti encountered law enforcement actions and simply altered their branding:
- Conti's operations have spread to new factions such as Black Basta, BlackByte, and Karakurt;
- Hive underwent rebranding to become Hunters International.
While taking a hacker at their word is risky, LockBitSupp's statement suggests that law enforcement only acquired a handful of decoders, apprehended the wrong individuals, and failed to shut down all the websites under the group's control. If this assertion holds, LockBit might similarly rebrand itself, suggesting that authorities might spend additional years attempting to completely dismantle the LockBit network.
Final Thoughts
The allure of hacker movies, with their depiction of cybercriminal romance, boldness, and clashes with the law, sometimes mirrors real-life events. The LockBit breach is a prime example of such a narrative unfolding in the real world.
The LockBit saga is likely far from over. To stay informed about the latest developments in Operation Chronos and other cutting-edge news in the realms of cryptocurrency and technology, keep an eye on our X account.