UK law-enforcement body joins forces with counterparts across Europe and the US to take aim at the operations of ransomware collective LockBit while providing tools to help victims recover data

UK authorities have played a key role in an international mission to take down “the world’s most harmful cybercrime group”.

Law-enforcement bodies from 10 countries have combined to target the operations of the LockBit ransomware organisation. The investigation, dubbed Operation Cronos, was led by the UK’s National Crime Agency (NCA) and coordinated at a European level by Europol and Eurojust. The case, opened in April 2022 at the request of the French authorities, has resulted in the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK. Authorities have also frozen over 200 cryptocurrency accounts linked to the criminal organisation.

After infiltrating the group’s network, the NCA has taken control of LockBit services, including its leak site on the dark web, on which the criminal gang hosted data stolen from victims. Visitors to the ransomware group’s own website are now greeted with a message (pictured above) that “this site is now under the control of law enforcement”.

Two alleged members have also been arrested in Poland and Ukraine, with three international arrest warrants and five indictments also being issued by the French and US authorities.

Related content

• Government claims it has never paid a ransomware demand – and never will
• Analysis – how and where are attackers getting in?
• Officers pose as attackers for hire as NCA doubles number of ‘major cyber disruptions’ in FY23

NCA director general Graeme Biggar said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners. Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems. As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

Since emerging in 2019, LockBit has targeted over 2,000 victims and received more than $120m in ransom payments.

Those who suffered an attack from their group would usually have their data stolen and their systems encrypted. After this, the cyber gang would demand a cryptocurrency ransom to decrypt their files and prevent their data from being leaked. The NCA has revealed that some data within LockBit’s system belonged to victims who had paid a ransom to the criminals, showing that paying did not guarantee the data would be deleted.

Decryption tools have also designed to try and recover files encrypted by the LockBit ransomware. Available for free on the ‘No More Ransom’ portal, more than six million victims have now accessed the tools worldwide.

A version of this story originally appeared on PublicTechnology sister publication Holyrood