Britain’s National Crime Agency has seized the online infrastructure of the ‘most active’ global ransomware gang, it was announced today.

Specialist NCA cyber law enforcement teams have led an effort involving 11 international partners – including the FBI and Europol – to shut down the dark web site of Lockbit.

The illicit site, described last year by NCC Group’s Global Threat Intelligence report as one of the world’s best known cybercrime groups, was this morning taken offline following the sting.

In a short statement on the site, the law enforcement agencies appeared to signal the success of Operation Cronos in taking down the gang, thought to be of Russian origin.

It read: “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos.”

The statement added: “We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”

The NCA took control of Lockbit’s dark web site domain

Lockbit, formed in 2019, listed hundreds of victims from around the world on a series of underground dark web sits. Its UK based targets included Royal Mail, car dealer network Pendragon and in October last year Aberdeen law firm Raeburn Christie Clark & Wallace.

The gang targeted thousands of victims around the world, including in the UK, and caused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. It provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure required to carry out attacks.

When a victim’s network was infected by LockBit’s malicious software, their data was stolen and their systems encrypted. A ransom would be demanded in cryptocurrency for the victim to decrypt their files and prevent their data from being published. The gang is responsible for losses of billions of pounds, globally, both in terms of sums of money extorted from victims and the economic costs of recovery.

The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish data stolen from victims. Instead, this site will now host information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.

The agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world. 

It has also obtained over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data.

Graeme Biggar, National Crime Agency director general, said: “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

Matt Hull, global head of threat intelligence at NCC Group, said: “The law enforcement intervention against the LockBit RaaS Group is perhaps the most significant over the last two or three years. 

“This is an excellent example of what can be achieved when there is coordinated effort against a common threat. It highlights the need for governments and law enforcement agencies to combine their efforts to tackle the threat from ransomware.”

In 2023, NCC recorded 1,039 victims of Lockbit, which equates to 22 per cent of all ransomware victims identified for the whole year.