International Operation Dismantles LockBit Ransomware Group

A coordinated international operation, dubbed ‘Operation Cronos’, has successfully dismantled the criminal operations of the LockBit ransomware group, the world's most prolific and damaging ransomware entity, according to Europol. The operation was led by the UK's National Crime Agency (NCA) and coordinated on aEuropean level by Europol and Eurojust, with additional support by the US State Department. This success of this operation highlights the need for global partnerships to deal efficiently with these threats, outlining a potential action plan against cybercrime.

LockBit's origin dates back to late 2019 under the ransomware alias 'ABCD', making use of a ransomware-as-a-service business model. In this model, a central team created the malware and managed the website, licensing its code to affiliates to launch cyberattacks. This model facilitated the organization’s rapid expansion, becoming the most widely deployed ransomware variant worldwide by 2022, according to the NCA. During its rise, the dissemination of its RaaS enabled LockBit to execute more than two thousand attacks worldwide, primarily targeting hospitals, city halls, and businesses of all sizes.  This resulted in  more than $144 million in data ransom payments over two years, according to the U.S. Department of State (DOS).

Pre-deployment preparations for Operation Cronos consisted of 27 operational meetings and four one-week technical sprints organized by Europol's European Cybercrime Center (EC3). The agency also provided analytical support, cryptocurrency tracing, and forensic assistance to the investigation, facilitating information sharing through the Joint Cybercrime Action Team (J-CAT). Over  1,000 operational messages were exchanged through Europol's secure SIENA information channel, making it one of EC3's most active investigations.

Operation Cronos succeeded in compromising LockBit's main platform and other critical digital and network infrastructure, resulting in the takedown of 34 servers across Europe, North America, and Oceania. The NCA assumed control of the technical infrastructure that allowed LockBit to operate, including the dark web site where victims' stolen data had been hosted. In addition, two key members of LockBit, Artur Sungatov and Ivan Gennadievich Kondratiev, were arrested in Poland and Ukraine, as confirmed by the US Department of Treasury. This resulted in the issuance of three additional  international arrest warrants and five indictments by French and US authorities. Furthermore, in a move to disrupt the economic incentives driving the purchase of ransomware services, more than 200 cryptocurrency accounts linked to the organization were frozen.

While the takedown of LockBit is a significant achievement, authorities emphasize that it does not mark the end of the fight against ransomware and other cybercrime. Rather, this event highlights the imperative to strengthen cybersecurity systems across all sectors. As a proactive measure to neutralize future attacks by this organization, Europol, collaborating with the Japanese Police, the NCA, and the Federal Bureau of Investigation, has focused on developing decryption tools to recover files encrypted by the LockBit ransomware. These solutions are available for free on the “No More Ransom” portal, which supports  37 languages and has already benefited more than 6 million victims worldwide. The portal features more than 120 solutions capable of decrypting more than 150 different types of ransomware.

With the vast amount of information gathered during the investigation, law enforcement is prepared to support international operations targeting the group's Russian-linked leaders, according to statements made by the US Treasury Department, as well as developers, affiliates and infrastructure linked to the criminal activities. In a final announcement, the US State Department also offered a reward of up to US$15 million for information leading to the arrest of Lockbit's leaders.