On February 20, 2024, law enforcement agencies from the United States and the United Kingdom successfully carried out a major operation against the LockBit ransomware group, known for its extensive and harmful cyberattacks across the globe. This group, responsible for over 2,000 attacks worldwide and extracting more than $120 million in ransom payments, saw its darknet sites taken over by authorities. These sites, previously used to shame and pressure victims into paying ransoms, now offer free recovery tools and display information about the arrests and charges against LockBit affiliates.

The operation, named “Operation Cronos,” resulted in the seizure of about thirty-four servers and the arrest of two individuals believed to be part of LockBit. Additionally, two indictments were unsealed, a LockBit decryption tool was made publicly available, and over 200 cryptocurrency accounts associated with the group’s financial operations were frozen.

LockBit, active since September 2019, has targeted a wide range of victims in the U.S. and internationally, generating vast sums through ransom demands. Operating on a ransomware-as-a-service model, the group provided the malware and infrastructure, while affiliates focused on identifying targets. Affiliates earned a significant share of the ransoms paid.

Europol disclosed that a thorough investigation led to the compromise of LockBit’s main platform and other critical assets, including servers in several countries. Two suspected LockBit members were apprehended in Poland and Ukraine, though details about these individuals remain limited.

The U.S. Department of Justice announced charges against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratyev, for their involvement in LockBit attacks. These indictments add to previous charges against other affiliates, highlighting the international effort to dismantle the LockBit network.

The operation’s success provides valuable insights into the operations of ransomware groups and their affiliates, potentially impacting other ransomware operations. The infiltration of LockBit’s infrastructure, particularly through exploiting a vulnerability in PHP, has sparked discussion and ridicule within cybercriminal communities, especially concerning the group’s failure to detect the flaw through its bug bounty program.

In a move seen as mocking the group, federal investigators have also utilized LockBit’s victim shaming site to tease the reveal of “LockBitSupp,” a key figure within the group, adding a layer of psychological warfare to the operation.

The collaborative effort included contributions from law enforcement agencies across several countries, emphasizing the global commitment to combating cybercrime. Victims of LockBit attacks are encouraged to reach out to the FBI for assistance in decrypting affected systems, with additional support from a recovery tool developed by the Japanese Police and Europol.

This operation marks a significant blow to LockBit and demonstrates the effectiveness of international cooperation in the fight against cyber threats.