The UK’s National Crime Agency (NCA) confirmed on Tuesday that it had obtained LockBit’s source code as well as information relating to its activities and affiliates as part of a dedicated task force called Operation Chrono.
“Some of the data on the LockBit systems belonged to victims who had paid a ransom to the threat actors, demonstrating that even when a ransom is paid, the data is not guaranteed to be deleted, despite what the criminals have promised,” the agency said.
It also announced the arrest of two LockBit actors in Poland and Ukraine. Over 200 cryptocurrency accounts linked to the group have been frozen. In the United States, charges were also opened against two other Russian citizens accused of carrying out LockBit attacks.
Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) were accused of using LockBit against numerous victims throughout the United States, including companies nationwide in manufacturing and other industries, as well as victims worldwide in the semiconductor and in other sectors, according to the United States. Department of Justice (DoJ).
Kondratyev was also charged with three counts stemming from using the Sodinokibi, also known as REvil, ransomware variant to encrypt data, extort victim information, and extort ransom payments from a county-based victim company of Alameda, California.
The development comes in the aftermath of an international campaign of disruption against LockBit, which the NCA described as “the world’s most damaging cybercrime group”.
As part of the takedown efforts, the agency claimed to have taken control of LockBit’s services and infiltrated the entire criminal organization. This includes the administrative environment used by affiliates and the public-facing leak site hosted on the dark web.
Additionally, 34 servers belonging to LockBit affiliates were also dismantled and more than 1,000 decryption keys were recovered from the confiscated LockBit servers.
LockBit, since its debut in late 2019, runs a ransomware-as-a-service (RaaS) scheme in which cryptographers are licensed to affiliates, who carry out the attacks in exchange for a portion of the ransom proceeds.
The attacks follow a tactic called double extortion to steal sensitive data before encrypting it, with threat actors pressuring victims to make a payment to decrypt their files and prevent their data from being published.
“The ransomware group is also known for experimenting with new methods to pressure victims into paying ransoms,” Europol said.
“Triple extortion is one such method that includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates distributed denial of service (DDoS) attacks as an added layer of pressure.”
Data theft is facilitated via a custom data exfiltration tool, codenamed StealBit. The infrastructure, used to organize and transfer victims’ data, has since been seized by authorities in three countries, including the United States
According to Eurojust and DoJ, LockBit attacks are believed to have affected over 2,500 victims worldwide and netted more than $120 million in illicit profits. A decryption tool has also been made available through No More Ransom to recover files encrypted by ransomware for free.
“Thanks to our close cooperation, we hacked the hackers; took control of their infrastructure, seized their source code and obtained keys that will help victims decrypt their systems,” said NCA director general Graeme Biggar.
“To date, LockBit is blocked. We have damaged the capacity and, more importantly, the credibility of a group that depended on secrecy and anonymity. LockBit may be trying to rebuild their criminal enterprise. However, we know who they are and how they operate.”