International Law Enforcement Operations Successfully Disrupt Cyber Gangs, Lockbit

JAKARTA - The cyber crime gang, known for its data hostage-taking practices, Lockbit, has been successfully disturbed by rare international law enforcement operations, involving the British National Crime Agency, the United States Federal Bureau of Investigation, and Europol. This was revealed in a post on the gang's extortion site on Monday, February 19.

"Currently under the control of the UK's National Crime Agency, in close cooperation with the FBI and international law enforcement task forces, 'Operation Cronos'," the post read.

An NCA spokesman confirmed that the agency had disrupted the gang and said the operation was "ongoing and developing". Meanwhile, the United States Department of Justice did not immediately respond to a request for comment.

The post also mentioned other international police organizations from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

Lockbit and its affiliates have hacked several of the world's largest organizations in recent months. The gang made money by stealing sensitive data and threatening to leak it if the victim did not pay a huge ransom. Their affiliate is a crime group that has similar thoughts recruited by the group to carry out attacks using Lockbit digital extortion tools.

Ransomware is a malicious software that encrypts data. Lockbit generates money by forcing its target to pay the ransom to decrypt or unlock the data with a digital key.

Lockbit was discovered in 2020 when its malicious software with the same name was discovered in a Russian-language cybercrime forum, which led some security analysts to think the gang was based in Russia.

Although the gang has not expressed support for any government, and no government has officially linked it to any country. On their now inactive darkweb site, the group said it "located in the Netherlands, fully apolitic, and was only interested in money."

"They are Walmart of the ransomware group, they run it like a business - that's what makes them different," said Jon DiMaggio, principal security strategist at Analyst1, a cybersecurity company based in the United States. "They are arguedly the largest ransomware group today."

Officials in the United States, where Lockbit has attacked more than 1,700 organizations in nearly every industry ranging from financial and food services to schools, transportation, and government departments, have described the gang as the world's top ransomware threat.

In November last year, Lockbit published internal data from Boeing, one of the world's largest defense and space contractors. In early 2023, the Royal Mail of the United Kingdom experienced serious disruption after being attacked by the group.

Before the Lockbit site closed, the site featured an increasing gallery of victims' organizations updated almost daily. Beside their names is a digital clock that shows the remaining number of days to the time limit given to each organization to provide ransom payments.

On Monday, the Lockbit site displayed a similar countdown, but from law enforcement agents who hacked hackers: "Back here for more information on: 11:30 GMT on Tuesday, February 20." wrote the post.

Don Smith, vice president of Secureworks, a division of Dell Technologies, said that Lockbit is the most prolific and dominant ransomware operator in the highly competitive underground market.

"To put today's demolition into context, based on leak site data, Lockbit has a ransomware market share of 25%. Their closest rival is Blackcat with about 8.5%, and after that it's really starting to fragment," Smith said. "Lockbit far outpaced all other groups and today's action is very significant. Lockbit's affiliate with the group has been fanatical, and because of that although some may have been sidelined, unfortunately many are most likely to be along with other criminal organizations."