Lockbit, believed to be the world’s largest criminal ransomware group, has had its systems infiltrated by the National Crime Agency (NCA). The infiltration was first noted on Monday evening when a message appeared on the Lockbit website stating that it was under control by law enforcement. This infiltration will shed new light on the scale, operational methods, and effects the organisation has had.

Who were Lockbit, and what did they do?
Lockbit is a ransomware group believed to be based in Russia. They were primarily known to be the most prolific ransomware group in the world that sold their services to other criminals.

Ransomware is malicious software (malware) that encrypts (locks) files or computer systems and demands a ransom payment for their release. It is like digital kidnapping, holding your data hostage until you pay up.
Lockbit is the name of a software solution that the Lockbit group would use on their targets but also sell and market to other criminals for further financial gain. Within their marketing campaigns in the underground digital criminal world, they claimed it was the fastest encryption software in the world. Lockbit was also huge, with this software reported to account for of all Ransomware attacks.

Selling ransomware software is known as a Ransomware as a service (Raas) provider. This is becoming more popular with criminals. It allows ransomware to become more accessible to criminals and the creators to profit further, operating in a franchise-like method.

Lockbit also operated with a double extortion methodology. This means they would not just steal and encrypt the data but also threaten to release it publicly online. This could often cause significantly more damage to an organisation.

It is believed that they are responsible for global losses in the billions, with thousands of victims, including 200 known UK victims.

How was Lockbit taken down?

Lockbit has been a target for law enforcement for some time, with law enforcement going public when they hit the open phase of the operation.

What does the takedown of Lockbit mean?

The takedown of the Lockbit operation means that the software can no longer operate, causing the Lockbit ransomware to be useless. When customers attempt to log in to the site, they are informed that control is in the hands of law enforcement, including Lockbit’s internal data, such as user information of victims, money extorted and much more. There is also a warning for the customers stating that law enforcement may contact them very soon.
Does this state the end of Lockbit?

Other Cyber Criminal gangs have reemerged quickly under a new name after operations were disrupted by law enforcement in the past. This is a possibility for Lockbit; however, it is hoped it will be different. This is due to a large portion of Lockbit’s operation being behind trust and brand reputation; they even went as far as tattooing the Lockbit brand on their bodies.

This is a huge reason law enforcement has made their takedown so public: to try and displace the trust of Lockbit customers and encourage them to stop, as law enforcement now has their details.
Another reason for the publicity behind the takedown is to prevent the gang reassembling. As they are based in Russia, it is impossible to arrest any individuals responsible, so mass disruption of the operations is their only option.

Whilst these operations have not always gone to plan in the past it is hoped that, due to the scale of this operation and the public exposure of Lockbit’s activities, the disruption will prevent a fast return of the Lockbit group.

What can you do to secure yourself or your business from attack?

Just because Lockbit has been taken down, this does not mean Cyber Attacks are showing any signs of stopping. A huge threat surface remains, meaning vigilance is as critical as ever to ensure your business’s digital resilience.
Ensuring adequate cybersecurity training, technical controls, and recovery planning are in place is essential for every business.

CTRL-S can partner with you to be your one-stop shop, providing expert technical advice for business security and efficiency, and our Cyber Wise service will educate your team on the current risks of the online world.
Get in touch to learn more about what we can do for you today.