An international law enforcement operation codenamed ‘Cronos,’ involving the FBI, the U.S. Department of Justice, the NCA, Europol, and police forces from 10 countries, has significantly disrupted the world’s most prolific ransomware group, LockBit.
LockBit is a notorious ransomware group that emerged in late 2019, operating on a “ransomware-as-a-service” (RaaS) model where the core team develops ransomware and infrastructure while affiliates carry out attacks. LockBit is infamous for its aggressive extortion techniques, including stealing sensitive data before encrypting it and then threatening to leak it publicly to pressure victims into paying ransoms.
The group has caused significant financial and operational damage worldwide and has exposed the sensitive records of millions of people who were indirectly compromised by breaches on their service providers. Some notable examples of LockBit’s victims include Boeing, Royal Mail, Continental Tires, and the Bank of America.
Operation Cronos has seized 34 servers supporting the LockBit operation, made two arrests, and froze 200 cryptocurrency accounts linked to the criminal proceeds, as well as the closure of 14,000 related accounts. Also, law enforcement has assumed control of LockBit’s victim extortion portal on the dark web and has turned it into an announcement board containing decryption tools, indictment details, and more.
Cybersecurity company Prodaft played a crucial role in mapping Lockbit’s infrastructure, identifying over 28 affiliates, obtaining the locker’s source code, mapping the network of initial access brokers selling intrusion points to LockBit operators, and notifying impacted organizations in advance.
Since the authorities have now seized critical infrastructure used by LockBit, it is considered inevitable that more arrests will follow in the coming months, as the forensic investigation yields crucial data leading to the identity of LockBit’s affiliates and potentially also its core team.
“We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the U.K., the FBI, Europol, and the Operation Cronos Law Enforcement Task Force.”
If you’re looking for a decryptor for LockBit 3.0, the latest variant the ransomware gang used, you may download it from here. Instructions on how to utilize it are available on the “No More Ransom” portal. Remember to back up your (encrypted) files before trying to decrypt them, as there’s always the risk of ending up with irreversibly corrupted files.
This disruption is significant and will likely lead to the end of the LockBit project and the disbandment of its core team. However, as long as prominent members of the cybercrime operation remain free, there’s always the risk of launching a new RaaS operation under a new brand name. Also, remaining affiliates can jump ship to other ransomware operations and continue making a profit from their malicious activities.