A criminal ransomware group – thought to be the world’s largest – has been severely disrupted thanks to a huge multinational operation led by the UK’s National Crime Agency.
Lockbit has made headlines around the world since first emerging in 2019, after its ransomware was used in high-profile attacks on everything from IT firms to retailers and even hospitals. The biggest known UK victim was the Royal Mail, which had to put a temporary stop to its international shipping operations after being attacked in January 2023.
In the past two years Lockbit has grown into one of the most prolific cybercrime tools, with the BBC claiming it may have held around a quarter of the market for ransomware technologies – whilst a report from Canada in 2023 estimated that it was behind 44% of all incidents globally.
All this is what drove a multinational effort to bring down Lockbit, with the so-called Operation Cronos counting representatives from the USA, Canada, Japan, France, Sweden and Australia among its number. This operation was led by the NCA, which had been keeping its work well hidden until this month when it announced a victory in the form of infiltrating Lockbit systems and stealing its data.
The Lockbit website was also taken over, presenting visitors with the notification that it was “now under control of law enforcement”.
As well as giving the website a new look, law enforcement agencies also had a message for anyone who tried to log into the Lockbit system, saying that all its internal data had been accessed. It concluded with the rather ominous warning: “We may be in touch with you very soon.”
The size and impact of this takedown shouldn’t be underestimated, the former head of the UK’s National Cyber Security Centre Ciaran Martin told the BBC: “This is one of the most consequential disruptions ever undertaken against one of the giants of ransomware.
“There are few, if any, bigger players than Lockbit in ransomware, and the NCA seem to have wholly ‘owned’ them.”
