An infamous cyber crime gang has been disrupted by the National Crime Agency (NCA) and a coalition of international police agencies.
Lockbit and its affiliates have hacked some of the world’s largest organisations in recent months, but as of Monday their extortion website displays a message saying it is “under the control of the National Crime Agency of the UK”.
Five Russian nationals have been charged.
But what is Lockbit, what are its criminal tactics and who has fallen victim to it? Here’s what we know…
What Lockbit does
The gang makes money by stealing sensitive data and threatening to leak it if victims fail to pay an extortionate ransom.
Its affiliates are like-minded criminal groups that are recruited to wage attacks using Lockbit’s digital extortion tools.
US officials have described Lockbit as the world’s top ransomware threat. The group has hit organisations in nearly every industry; from financial services and food to schools, transportation and government departments.
The gang has caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery, according to the UK’s National Cyber Security Centre (NCSC).
Lockbit’s website, until Monday, displayed an ever-growing gallery of victim organisations that was updated almost daily.
Next to their names were digital clocks that showed the number of days left to the deadline given to each organisation to provide ransom payment.
Lockbit ransomware has been deemed responsible for at least 1,700 attacks in the US alone by the FBI.
What are the group’s tactics?
The NCSC and America’s Cyber Defence Agency (ACDA) shed some light on Lockbit’s tactics last year as it had become “the most deployed ransomware variant across the world”.
In an extensive mitigation advisory, they described how the Lockbit operation uses a “ransomware-as-a-service” model where cyber criminals sell access to their ransomware variant to unconnected affiliates and provide them with support in carrying out attacks.
It also highlighted the risk of double extortion – a common tactic used by ransomware actors where they encrypt a victim’s system and extract information, with threats that they will post it online unless a ransom is paid.
Lockbit’s strategies are, of course, incredibly complex, but here are some summarised highlights from ACDA’s advisory:
- It has three main strains: Lockbit, Lockbit Red and Lockbit Black – and the latter is the group’s signature ransomware. It scrambles computer files and demands payment in cryptocurrencies that are hard to trace in exchange for unscrambling them
- Lockbit’s core group not only allows affiliates to use its ransomware, but it lets those affiliates receive ransom payments first-hand before sending the core group a cut. This is in stark contrast to similar groups, which tend to pay themselves before affiliates
- Its ransomware is kept simple with a point-and-click interface, making it accessible to a wide array of cyber criminals – even those with a lower degree of technical skill.
Essentially, Lockbit keeps things as simple as possible for potential affiliates because the more criminals it appeals to, the more cuts the core group gets from second-hand extortion cases.
But the group’s tactics go to even greater depths, according to ACDA, essentially advertising through methods such as:
- Disparaging other similar groups in online forums to make Lockbit look like the best ransomware on the market
- Paying people to get Lockbit tattoos
- Putting a $1m (£794,163) bounty on information related to the real-world identity of Lockbit’s lead, who goes by the persona “LockBitSupp”.
What do we know of Lockbit’s origins and motives?
On its website, the group said it was “located in the Netherlands, completely apolitical and only interested in money”.
But its malicious software was first discovered on Russian-language cyber crime forums in 2020, leading some security analysts to believe the gang is based in Russia.
Since then the group has been detected all over the world, with organisations in the UK, United States, India and Brazil among common targets, according to cybersecurity firm Trend Micro.
From December: Russian cyber attacks – what we know
High-profile cases
With worldwide reach, Lockbit has been in the news frequently since 2020.
The most prominent case in the UK came early last year when the Royal Mail faced severe disruption after a Lockbit attack.
Royal Mail’s investigation found the gang infected machines that print customs labels for parcels being sent overseas, leaving more than half a million parcels and letters stuck in limbo.
The gang also threatened to publish stolen data on the dark web, making printers at a Northern Irish Royal Mail distribution centre “spurt” out copies of the ransom note – a signature scare tactic of the gang.
Royal Mail asked customers to temporarily stop submitting any export items while the NCSC helped it resolve the issue.
Car dealership threats
The year before, Lockbit affiliates tried to hold UK car dealership group Pendragon to a $60m (£54m) ransom, but the company refused to pay up, saying the hack had not affected its ability to operate and that it “took immediate steps to contain the incident”.
Children’s hospital deemed a stretch too far
Another infamous incident came in December 2022 when Lockbit ransomware was used to attack SickKids in Canada, causing a system failure.
Bizarrely, the core gang claimed it released a free decryptor for the hospital to use, saying a member had broken its “policies”.
It said affiliates were prohibited from encrypting medical institutions where attacks could lead to death.
Security firm hit
In August last year, Lockbit hackers allegedly acquired top secret security information on some of the country’s most sensitive military sites, including the HMNB Clyde nuclear submarine base on the west coast of Scotland and the Porton Down chemical weapons lab, according to the Sunday Mirror.
Thousands of pages of data leaked onto the dark web after private security firm Zaun was targeted.
The company, which provides security fencing for sites related to the Ministry of Defence, confirmed in a statement it had been the victim of a “sophisticated cyber attack”.
A Zaun spokesperson added it had taken “all reasonable measures to mitigate any attacks on our systems” and explained that it had referred the matter to the NCSC.
Latest big case
There were reports of Lockbit activity just last week, when India’s Motilal Oswal Financial Services said it had detected malicious activity on the computers of some employees.
The company said it remedied the issue within an hour, adding its operations were unaffected.
“This incident has not affected any of our business operations and IT environment. It is business as usual,” the company worth an estimated $15.3bn told Reuters.
What’s happening now after NCA’s Lockbit takeover?
The full post on Lockbit’s website that went up on Monday reads: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
Europol and other international police organisations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany all aided in the rare law enforcement operation.
An NCA spokesperson confirmed that the agency had disrupted the gang and said the operation was “ongoing and developing”.
In a statement on Tuesday, the NCA added: “The NCA has taken control of Lockbit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims.
“Instead, this site will now host a series of information exposing Lockbit’s capability and operations, which the NCA will be posting daily throughout the week.”
The US Department of Justice has announced two defendants accused of using Lockbit to carry out ransomware attacks have been criminally charged, are in custody, and will face trial in the US.
A representative for Lockbit posted messages on an encrypted messaging app saying it had backup servers not affected by the law enforcement action.
