The Australian Federal Police (AFP) and international law enforcement agencies have joined forces to disrupt the “world’s most harmful ransomware”, resulting in multiple server takedowns and arrests.
In an international investigation titled ‘Operation Cronos’, law enforcement agencies from 10 countries banded together to disrupt the criminal operations of LockBit, a ransomware group which the AFP notes has caused “billions of dollars’ worth of harm across the globe” since first emerging in 2019.
Led by EU law enforcement agency Europol, the months-long operation has resulted in the compromise of LockBit’s primary platform, as well as the takedown of some 34 servers in Australia, US, UK and multiple European nations.
“Cyber crime is not restricted by borders and tackling this crime type requires a united, global response from law enforcement,” said AFP assistant commissioner Scott Lee.
“This latest takedown is yet another example of the powerful outcomes that can be achieved through a united law enforcement front.”
As reported by Europol, the UK's National Crime Agency (NCA) has taken control of the technical infrastructure which “allows all elements of the LockBit service to operate”, as well as its dark web leak site which has historically hosted the stolen data of ransomware victims.
The operation also saw law enforcement freeze over 200 cryptocurrency accounts allegedly owned by the ransomware group, effectively disrupting the group’s ability to yield its criminal profits.
Meanwhile, France’s National Gendarmerie, one of the nation’s law enforcement forces, has arrested two alleged LockBit actors in Poland and Ukraine – with a further three arrest warrants and five indictments issued by US and French law enforcement.
According to the AFP and Europol, authorities have obtained a “significant amount of data” since the investigation started – which will be used to support the ongoing operation while targeting both the leaders of the group as well as “developers, affiliates, infrastructure, and criminal assets” linked to its illicit activities.
“Further arrests across the globe are expected,” the AFP said.
Authorities were able to place this message on the LockBit site. Photo: Supplied
Big win against LockBit’s global rampage
Europol describes LockBit as the “world’s most harmful ransomware” – which is unsurprising given the criminal gang’s track record over the last four years.
Functioning as a “ransomware-as-a-service” or RaaS product – which enables cyber criminals to purchase and deploy ready-made ransomware with little tech skills or knowledge – LockBit has caused billions of dollars in harm globally, including millions to Australian individuals and businesses.
The ransomware group has unrelentingly targeted schools, medical facilities, businesses and government entities across the globe – often causing significant service disruptions in the process.
Last year, the UK’s leading mail delivery service, Royal Mail, suffered a cyber incident which saw international shipping grounded after its machines were infected by a prominent strain of LockBit ransomware.
Months later, the group claimed an attack against insurance company Managed Care of North America Dental – with hackers reportedly able to “see and take copies” of some personal information across 8.9 million patients.
And in January this year, Chicago-based children’s hospital Saint Anthony Hospital was threatened with an approximate $1.37 million (US$900,000) ransom as LockBit threatened to release patient records onto the dark web.
Domestically, the most recent statistics reported by the Australian Cyber Security Centre show from 1 April 2022 to 31 March 2023, LockBit made up 18 per cent of reported Australian ransomware incidents.
LockBit’s long-running string of attacks is expected to slow significantly following the joint effort of Operation Cronos, with known victims receiving further support and resources from participating agencies.
The Japanese Police have notably developed a multi-language decryption tool designed to recover files encrypted by one of LockBit’s leading ransomware strains, while the NCA has obtained over 1,000 decryption keys which it plans to use in assisting known UK-based victims in coming weeks.
Furthermore, with a significant portion of its infrastructure now under control by authorities, more than 14,000 accounts linked to LockBit have been identified and referred for removal by law enforcement.
“This investigation has not only taken down the world’s most prolific ransomware group, but also damaged the group’s reputation and credibility beyond repair,” said Lee.