In a rare act of global collaboration, law enforcement agencies from the UK, USA, Europol and others have united to take down a notorious ransomware group named LockBit. ‘Operation Cronos’ was launched to disrupt the gang’s operations and, where possible, help ransomware victims regain access to their data.

The UK’s National Crime Agency (NCA) has announced that four suspects have been arrested in the USA, Poland and Ukraine. And more arrests are expected as the investigation continues.

Who are LockBit?

LockBit are a particularly successful cybercriminal gang. One estimate suggests that the group is responsible for 25% of all ransomware attacks across the world.

Unlike some groups, LockBit has no political motives – they commit crime purely for financial gain. They also operate a very profitable ransomware-as-a-service scheme, allowing virtually anyone to ‘rent’ their hacking tools; LockBot then claims a percentage of any ransom that the hackers successfully extort.

To help encourage victims to pay ransoms, LockBit’s ransomware also extracted sensitive data, allowing the hackers to keep a copy. If victims paid the ransom, these copies were deleted. If the demand went unpaid, LockBit would leak the data online, as happened to aircraft manufacturer Boeing.

The identities of the LockBit crew remain unknown, although security experts believe that the masterminds of the organization are probably based in Russia.

What happened?

Operation Cronos is best described as a ‘hack back’, with government-sponsored cybersecurity experts hacking into LockBit’s systems. Using a known, and unpatched PHP exploit, officers were able to break into the hackers’ computer systems and take control – in much the same way as a criminal hacker would.

Once inside, officers were able to seize and freeze 200 cryptocurrency accounts that were being used by the gang to collect ransom payments from their victims. They were also recovered more than 1000 digital keys required to ‘unlock’ data that had been encrypted by ransomware. Early investigations suggest that LockBit did not delete all of the copied data they collected either. Perhaps retaining it for further extortion attempts in future.

As part of the hack back, the NCA has also assumed control of the dark web site used by LockBit to ‘sell’ their services.

Is it all over for LockBit?

Despite the success of Operation Cronos, the hackers behind LockBit have not given up. They have already built a new dark web site and claim that law enforcement has only assumed control of part of their operation. The new website says that they have already resumed their hacking activities.

And while the masterminds behind LockBit, there is every chance that the gang will make a return. Even if that does not happen, there are many other cybercriminal groups ready and waiting to take over. Which means that the battle against cybercrime will continue for the foreseeable future.