Two LockBit suspects charged as disruption efforts ramp up

21 Feb 2024

Image: © Oleksandr/Stock.adobe.com

With multiple alleged LockBit members charged and a trove of their data taken by law enforcement, it looks unlikely that the cybercrime group will survive.

International law enforcement groups have shared further details on Operation Cronos – a coordinated effort to take down the notorious LockBit ransomware gang.

This gang suffered a severe disruption this week, when an international task force seized its data leak website and gained vast amounts of data on the gang, its victims and its affiliates.

The operation is being led by the UK’s National Crime Agency (NCA), in close cooperation with the FBI and other enforcement agencies. Following the website seizure, the NCA and the US Department of Justice publicly shared details on the operation against LockBit.

The US department unsealed formal charges against two suspected LockBit members, who are Russian nationals Artur Sungatov and Ivan Kondratyev. They are both charged with deploying LockBit against numerous US victims. Additional charges against Kondratyev were unsealed, related to an alleged deployment of ransomware against a US victim in 2020.

US attorney Philip R Sellinger said that these unsealed indictments mean a total of five alleged LockBit members have been charged by his office and its partners.

“Our investigation will continue, and we remain as determined as ever to identify and charge all of LockBit’s membership – from its developers and administrators to its affiliates,” Sellinger said. “We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows.”

The NCA described LockBit as “the world’s most harmful cybercrime group” and said it has caused billions of pounds in losses over the past four years. The agency said it obtained the LockBit platform’s source code, along with a “vast amount of intelligence” about their activities and those who have worked with them.

Thanks to this operation, the NCA also said it can help LockBit victims who had their systems encrypted by the ransomware gang. The agency said it obtained more than 1,000 decryption keys and will be contacting UK-based victims in the coming weeks to help them recover encrypted data. The FBI and Europol will support victims in other regions.

NCA director general Graeme Biggar said the agency “hacked the hackers” and that the operation shows no criminal operation is out of reach.

“We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity,” Biggar said.

The future of LockBit is unclear, but Biggar said the criminal group may try to rebuild their operations. Mark Stockley, a Malwarebytes senior threat researcher, believes it is unlikely that the LockBit “brand” will survive this operation and predicts that it will either rebrand or disperse into other groups.

This type of move has been witnessed when previous cybercriminal groups got disrupted by law enforcement, such as the Conti ransomware group. Regardless, Stockley believes the operation will deal a large impact to global ransomware operations.

“LockBit is the 800lb gorilla in the ransomware world,” Stockley said. “If law enforcement can tackle LockBit, they can tackle any group.

“This won’t stop ransomware, but every ransomware group is going to look over its shoulder and wonder if law enforcement has already infiltrated them, or any other groups they work with.”

A report by Corvus Insurance claimed ransomware activity grew in 2023, but also suggested that significant law enforcement activity disrupted the ransomware ecosystem towards the end of the year.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com