Thousands of victims, hospitals or town halls targeted, losses totaling billions of euros… The LockBit cybercriminal group, presented as “the most harmful” in the world, was dismantled during an international police operation , the authorities of several countries announced on Tuesday. “After infiltrating the group’s network, the NCA (British crime agency) took control of LockBit’s services, compromising their entire criminal enterprise,” the NCA said in a statement.
According to her, the ransomware targeted “thousands of victims around the world” and caused losses which totaled billions of euros, including the ransoms paid and the costs incurred for the victims.
“We hacked the hackers”
“We have hacked the hackers,” said Graeme Biggar, director general of the NCA, announcing the neutralization of LockBit during a press conference in London. LockBit targeted critical infrastructure and large industrial groups, with ransom demands ranging from 5 to 70 million euros. In 2023, the group notably attacked the British postal operator and a Canadian children’s hospital, and in France the Corbeil-Essonnes and Versailles hospitals in the Paris region.
Cybercriminals provided their “affiliates” with tools and infrastructure enabling them to carry out attacks. These consisted of infecting the victims’ computer network to steal their data and encrypt their files. A ransom was demanded in cryptocurrencies to decrypt and recover the data, under penalty of publication of the victims’ data.
“Tolerance” of Russia
LockBit collected more than $120 million in ransoms in total, according to the United States, where a total of five people, including two Russian nationals, are facing prosecution. According to the head of the NCA, the investigations did not reveal “direct support” from the Russian state towards LockBit, but nevertheless underlined a “tolerance” towards cybercrime in Russia. “These are cybercriminals, they are based all over the world, there is a large concentration of these individuals in Russia and they often speak Russian,” he said.
LockBit is presented as one of the most active malware in the world, with more than 2,500 victims including more than 200 in France, “including hospitals, town halls, and companies of all sizes”, indicated in a press release the Paris prosecutor’s office. French investigators arrested “two targets in Poland and Ukraine” and carried out searches, according to the same source.
According to the Paris prosecutor’s office, the operation made it possible to “take control of a significant part of the LockBit ransomware infrastructure, including on the darknet”, and in particular the “wall of shame”. where the data of those who refused to pay the ransom were published.
“This site is under control”
According to the British NCA, more than 200 cryptocurrency accounts linked to the group were frozen and investigators obtained more than 1,000 keys used to decrypt the data so they could return it to their owners. “This site is now under law enforcement control,” says a message on a LockBit site, specifying that the British NCA has taken control of the site, in cooperation with the American FBI and agencies from several countries .
In November 2022, the US Department of Justice (DoJ) called LockBit ransomware “the most active and destructive variant in the world”. A year ago, the Hive ransomware attack network was dismantled. He was accused of targeting 1,500 entities in 80 countries and collecting more than $100 million in ransoms.