US FBI seizes Lockbit hacking websites in ransomware disruption

Authorities from 11 different countries took part in an operation which seized 11,000 domains used by Lockbit and its affiliates to facilitate ransomware. PHOTO: REUTERS
Updated
Feb 22, 2024, 04:45 AM
Published
Feb 20, 2024, 05:29 AM

WASHINGTON - A coalition of international law enforcement agencies, including the US FBI and UK National Crime Agency, said they have disrupted Lockbit, one of the most prolific hacker groups of all time, including shutting down websites the organisation used for ransomware payments.

A post on the gang’s website on Feb 19 said it’s “now under the control” of the UK agency, the FBI and other law enforcement agencies.

Authorities from 11 different countries took part in the operation, which seized 11,000 domains used by Lockbit and its affiliates to facilitate ransomware, an FBI official said. The operation, which disrupted Lockbit’s infrastructure and targeted its malware deployment system, took place in recent days, the official said.

“Lockbit has caused enormous harm and cost – no longer,” Mr Graeme Biggar, director-general of the UK National Crime Agency, said at a press conference on Feb 20. “We have hacked the hackers, we have taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”

Lockbit specialises in using malicious software known as ransomware to encrypt files on its victims’ computers, then demanding payment to unlock the files. The operation recruits hackers to conduct the cyberattacks using Lockbit’s tools and infrastructure. Lockbit gets a cut of any ransom extorted in the hacks.

Lockbit administrators did not respond to multiple requests for comment.

The group was responsible for a 2023 attack on the US arm of Industrial & Commercial Bank of China, which disrupted the US$26 trillion (S$35 trillion) US Treasury market.

It also took down a website that Boeing uses to sell spare aircraft parts, software and services.

Two Lockbit actors were arrested, in Poland and Ukraine, as part of the operation, according to the European Union’s policing body Europol. Three international warrants and five indictments have been issued by French and US authorities, the agency said in a statement. 

The worldwide operation disrupted the group’s infrastructure and included indictments, followed by sanctions, said Mr Brett Leatherman, deputy assistant director of the FBI.

Agents seized control of Lockbit’s equipment, including servers with victim data, file-share servers and communication servers, he said. That will help authorities return stolen data to the companies and other organisations hacked by Lockbit.

“We’ll be notifying victims here soon,” Mr Leatherman said, in an interview. 

More On This Topic
What is Lockbit? The digital extortion gang on a cybercrime spree
Yellen: No impact on US Treasury market from ICBC hack

The US also unsealed an indictment charging Russian nationals Artur Sungatov and Ivan Kondratyev with deploying Lockbit against businesses in the manufacturing sector, the semiconductor industry and a range of other organisations.

Kondratyev also faces additional charges for allegedly deploying ransomware against a victim in California in 2020. 

The pair also face sanctions, with the US Treasury banning all transactions and blocking all assets in the US or controlled by US citizens. Kondratyev, located in Novomoskovsk, Russia, allegedly worked as a Lockbit affiliate, the Treasury department said in a statement. Sungatov is a Lockbit ransomware group affiliate and has actively engaged in Lockbit ransomware incidents, according to the statement.

“This is a righteous, serious blow against a malevolent actor that has caused financial losses and real suffering all over the world,” said Ms Sandra Joyce, vice-president of Mandiant Intelligence, part of Google Cloud. “We couldn’t hope for much more in terms of a disruption to ransomware operations. This is the model we hope to see more of moving forward.”

Lockbit administrators organised and transferred victim data with via a hacking tool called “StealBit,” according to the Justice Department.

Lockbit came to prominence in 2021, calling itself Lockbit 1.0. In 2022, it became Lockbit 2.0 and its latest iteration is Lockbit Green. One of the group’s most recent victims was EquilLend. The trading platform, which processes trillions of dollars of transactions a month, said the incident on Jan 22 affected some automated securities lending services.

The hacking group has claimed 1,600 victims in the US and 2,000 internationally, according to the FBI. A majority are within the private sector, and the FBI said it’s tracking 144 million ransoms paid in relation to Lockbit attacks.

Mr Jean-Philippe Lecouffe, deputy executive director of operations for Europol, said at the press conference that the takedown is “by far the biggest ransomware case coordinated by Europol,” and involved months of planning and actions. 

“We have disrupted at every level the criminal operation of the Lockbit ransomware group, severely damaging their capabilities but also their credibility,” he said. “Today, we have delivered a decisive blow not only to their operations but to their reputation.” BLOOMSBERG

More On This Topic
Boeing data published by Lockbit hacking gang
Ransomware attack from Russia hits Japan’s biggest port, delaying cargo

Join ST's Telegram channel and get the latest breaking news delivered to you.

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top