By Gordon Corera
Security correspondent, BBC News
The UK has led an operation to disrupt what is thought to be the world’s largest criminal ransomware group.
The National Crime Agency (NCA) has infiltrated systems belonging to Lockbit and stolen its data.
The organisation is believed to be based in Russia and, by volume, be the most prolific ransomware group selling services to other criminals.
On Monday evening, a message appeared on Lockbit’s website, saying it was “now under control of law enforcement”.
The operation is being billed as one of the most significant disruptions of the cyber-criminal world. The FBI, Europol and other countries have also been involved in the long-running operation but it is the first of its kind to be led by the UK.
Criminals use Lockbit to hack into computers belonging to companies and organisations and lock users out until a ransom is paid. They often also steal data and threaten to release it.
The group emerged around 2019 and has established itself as a dominant player. Some estimates suggest it holds around 20-25% of the market for ransomware.
Among the high-profile reported targets of Lockbit are Royal Mail, which was hit in January 2023, disrupting international deliveries. Last November, Industrial & Commercial Bank of China (ICBC) was also hit with major repercussions in the financial world. Others reported to have been hit include suppliers to the NHS, law firm Allen & Overy and Boeing, the aerospace company.
The operation has been under way covertly for some time, with law enforcement gathering data before moving to a more public phase on Monday evening.
The NCA’s technical experts had been able to get inside of Lockbit’s own systems and take control. In doing so, they were able to steal a large amount of the criminal group’s own data about its activities.
Since many companies do not admit they have been hacked and sometimes pay a ransom, this data may well provide a unique insight into the true scale of the group’s work as well.
As they moved into the more open phase of the operation, law enforcement went public about their infiltration.
They took control of the site on the dark web, where Lockbit publicised its activities and replaced it with the emblems of the various law enforcement agencies and a message reading: “The site is under the control of the National Crime Agency of the UK, working in close co-operation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”
At a press conference on Tuesday morning, the head of the NCA, Graeme Biggar, said it assessed the group was responsible for 25% of ransomware attacks in the last year.
He suggested the incidents had led to losses totalling billions. He said there were thousands of victims globally, including 200 that were known of in the UK – though he added that in reality there may have been many more.
Lockbit works by selling its criminal services, acting as a one-stop shop to customers known as affiliates.
These affiliates pay to be able to carry out the hacking operations and receive both the malicious software and advice.
But following the action by law enforcement, the affiliates who tried to log into the site were greeted with another message explaining that Lockbit’s internal data was now in the hands of law enforcement, including details of victims, the amount of money extorted “and much, much more”. The message adds: “We may be in touch with you very soon.”
There have been so-called “take-downs” in the past but in many cases the criminal groups re-emerged soon after their online operations were disrupted by law enforcement, limiting the long-term impact.
But in this case, those behind the operation are hoping to have a more significant impact by undermining the credibility of the group and attacking its reputation. The group relies heavily on branding. It has even paid people to have the Lockbit brand tattooed on their bodies.
The aim is to sow distrust by making affiliates realise that law enforcement now has their details and drive a wedge between them and those who run Lockbit by making other criminals believe it is a risk to work with them in the future for fear law enforcement is watching.
Those directly involved in the operation say they believe the UK will be significantly safer in the short and medium term from cyber-attack and describe the move as a ‘step change’ in the response to cyber-crime.
‘Wholly owned’ – ‘one of the most consequential disruptions ever undertaken’
“On the face of it, this is one of the most consequential disruptions ever undertaken against one of the giants of ransomware, and certainly by far the biggest ever led by British police,” Ciaran Martin, the former head of the UK’s National Cyber Security Centre told the BBC.
“There are few, if any, bigger players than Lockbit in ransomware, and the NCA seem to have wholly ‘owned’ them, as we say in cyber security”, he added.
Those behind the Lockbit group are believed to be based in Russia which means, like other similar groups, they are beyond the reach of law enforcement for arrest. That means disruption is often the only realistic option to try and undermine their work, as well as improving cyber-defences.
When the FBI carried out a similar operation against a group called Blackcat last year, it resulted in a tussle over control of the site between the group and US law enforcement, a sign that these operations do not always go exactly to plan.
But the hope is that this operation, with its very public exposure of Lockbit’s activities, will disrupt them enough to prevent a quick return.