The
The announcements are a boon to the safety of critical infrastructure in the U.S. and Europe. Based in Russia, LockBit was responsible for multiple ransomware attacks against critical infrastructure in the U.S., including financial institutions. In the announcement about the arrests and seizures, Graeme Biggar, the director of the U.K. National Crime Agency (NCA), called LockBit “the world’s most harmful cyber crime group.”
“We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity,” Biggar said.
In November, LockBit
On Tuesday, the FBI released
“Russia continues to offer safe harbor for cybercriminals where groups such as LockBit are free to launch ransomware attacks against the United States, its allies, and partners,” reads the announcement from the Treasury.
LockBit operated through an affiliate system known as ransomware-as-a-service. Core team members built the LockBit ransomware that LockBit affiliates would then use to launch attacks. Affiliates and core team members divided the spoils of attacks, with affiliates typically receiving 80% of the ransom payments collected, according to the indictment against Kondratiev and Sungatov.
Victim organizations paid these ransoms, often controversially, to decrypt their systems. Victims also made the payments in exchange for a promise from the criminal organization that it would delete (rather than share or exploit) the personal information (such as Social Security numbers) of individuals whose data LockBit had stolen.
Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.
U.K. National Crime Agency announcement
According to an announcement from the NCA, some of the data the agency discovered on LockBit’s systems belonged to victims who had paid a ransom to the threat actors. This, the agency said, is evidence that “even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.”
With the LockBit decryption keys seized, the FBI encouraged any victim of LockBit ransomware needing help with decryption to contact the FBI via
Law enforcement removed the original contents of LockBit’s victim-shaming website, where the gang had posted personally identifiable information (PII) on millions of individual victims stolen from victim organizations. European, U.S. and U.K. law enforcement agencies
On the seized site, the agencies also promised analyses over the coming days of an in-development iteration of LockBit encryption malware and the cryptocurrency profits the group has reaped over their four years of its operation, now that the group’s 200 cryptocurrency accounts have been frozen.
As a victory lap, the law enforcement agencies mimicked the style of LockBit’s original website with the seized website. They used the same color palette, grid layout, and countdowns for pending releases that the ransomware group had used.
A red banner at the bottom of the site on Tuesday gives a countdown that updates every second, indicating not how long a victim company has to pay a ransom, but how long the seized website has before it is set to shut down permanently — a taunt of any LockBit core members or affiliates who remain at large.