In a coordinated effort involving the U.K.’s National Crime Agency, the FBI, Europol, and several international police agencies, the website of LockBit, the world’s most prolific ransomware group, was seized on Monday as part of a significant international law enforcement operation.
A seizure notice displayed on LockBit’s website states, “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’.” The notice further confirms that LockBit’s services have been disrupted as a result of ongoing and developing international law enforcement action.
Since its emergence in late 2019, LockBit has been unparalleled in its ransomware activities, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. In comparison, the second most active group, Conti, has been publicly linked to only 883 attacks.
However, LockBit’s notoriety extends beyond its prolific attack volume to the severity of the damage it inflicts and the targets it chooses. Despite prior claims by the group to refrain from attacking hospitals, LockBit targeted Canada’s largest children’s hospital during the 2022 Christmas season, along with multiple healthcare facilities in the U.S. and abroad. Additionally, LockBit claimed responsibility for a November attack on a hospital system, resulting in appointment cancellations at multiple facilities in Pennsylvania and New Jersey.
Don Smith, vice president of threat research at Secureworks CTU, describes LockBit as “the most prolific and dominant ransomware operator” in a highly competitive market. Smith notes that LockBit’s strategic approach, focusing on global operations and scaling through affiliates, has propelled it to unparalleled success within the ransomware landscape.
The takedown of LockBit’s website is the latest in a series of law enforcement actions targeting ransomware gangs. Deputy Attorney General Lisa Monaco emphasized the Department of Justice’s commitment to disruptive strategies at the Munich Cyber Security Conference, stating, “You’re going to continue to see that same tempo of prevention-focused, disruption-focused, victim-centered action.”
Allan Liska, a specialist at Recorded Future who tracks ransomware groups, believes the takedown will have a significant impact on the ransomware ecosystem, despite potentially being temporary. Liska highlights the symbolic significance of the operation, signaling that law enforcement will pursue ransomware operators regardless of their resources or following.
Law enforcement agencies involved in the LockBit takedown are expected to provide further details about the operation on Tuesday.