LockBit Takedown: What Exactly Happened

February 27, 2024

Ransomware attacks continue to rise with many victims being reported every day. Last week one of the most prolific and successful groups, LockBit, became a target themselves with law enforcement (LE) action taking down their leak site and confirmation of sanctions against some of their affiliates. In this blog, we dig into what happened and what has happened since.  

LockBit are a ransomware gang that originally emerged in September of 2019. They offer ransomware-as-a-service (RaaS), which means that they allow affiliates to use their ransomware to attack victims in exchange for a monetary fee. In 2023, LockBit were reported to be one of the most prolific ransomware groups with 44% of ransomware attacks reported globally being attributed to them. The groups have had several iterations, LockBit 2.0 first emerged in 2021, and targeted many high value victims throughout that year and into 2022. In June 2022, they released a new iteration of their malware, LockBit 3.0. As part of their release, they also announced a bug bounty encouraging security professionals to test their malware and offered rewards from $1000 to $1 million. There were rumors that in early 2024 LockBit 4.0 was coming soon. DarkOwl analysts will continue to monitor any developments on this front.

On February 19, changes were made to the LockBit leak site, which made it clear that it was now under control of Law Enforcement. In recent years, law enforcement have successfully seized several dark web sites, such as Breach Forums and Raid Forms and have put a notice on the site indicating that it has been seized. However, with LockBit the message stated that the leak site was now under the control of law enforcement.  

Figure 1: DDOS protection on LockBit site seized by Law Enforcement 

Utilizing the same technology that LockBit used for Distributed Denial of Service (DDOS) protection, the site, after a period of time, directed you to the LockBit Blog post, the usual cryptocurrency icons were replaced with the flags of the countries of the involved law enforcement. A DDOS attack is a malicious attack on a network that is executed by flooding a server with useless network traffic, which exploits the limits of TCP/IP (transmission control/internet protocol) protocols and renders the network inaccessible. Although it looked the same has it had when under the control of LockBit, instead of displaying victim names and details, the site now included information about the group themselves. Law enforcement was even using the same countdown technology LockBit used to shame victims to pay ransom. Announcing that new information would be leaked. 

Figure 2: LockBit blog containing information about the group posted by LE 

Law enforcement announced several types of action that they had taken against the operators of LockBit. They provided a blog with details of Op Cronos and what operations they had taken. The statement indicated that a task force of Law Enforcement agencies from 10 different countries had come together to take down the group. The takedown was led by the UK National Crime Agency (NCA). The statement stated: 

“The months-long operation has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom. 

In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and U.S. judicial authorities.” 

UK National Crime Agency (NCA)

Although it is notable that the task force did arrest two individuals and indict two others, it appears that these individuals were affiliates of the group rather than those who operate the LockBit infrastructure. Leaving some ambiguity about the impact this takedown would have.  

As well as providing details of the operation the NCA also released images of the backend of LockBit’s system. This included the admin panel showing the victim posts and the countdown.  

Figure 3: LockBit back end leaked by LE 

Law Enforcement also claimed that they had access to some decryptor keys for the malware, and that victims should contact them to see if they are able to help with releasing the data that had been stolen by LockBit.  

Law enforcement indicated that they had identified 30,000 bitcoin addresses associated to the group, 500 of which are currently active on the blockchain and have received over $125 million. A lot of these funds came from a 20% fee from the affiliate groups implying that the ransomware amounts paid by victims is actually a lot higher. $110 million of this was still unspent on the blockchain.  

Soon after the announcement of the takedown, a letter started circulating online which appeared to be a message from the group to their affiliates alerting them to the fact that a security incident had occurred. It is unclear if this indeed did come from the group and DarkOwl analysts have not been able to authenticate it. The letter was written in the style of a security incident where personal information had been shared. Similar to that which would be shared by the group’s victims.  

Figure 4: Unverified notification from LockBit 

As of February 22, one of the onion mirrors for the leak site appeared to be a backup albeit with limited functionality. There were files which appeared to be named for the victims and the files included file trees and samples of data which had been stolen from victims. None of the other links on the page were working and the usual format was not maintained.  

Figure 5: LockBit site back up after LE action 

On February 24 a note was circulated which was signed with PGP keys to prove authenticity which provided an explanation of what activity had taken place from LockBit’s perspective. The note started by stating that LE had been successful because the controller had become lazy in his security due to all the money they had made.  

Figure 6: Message from LockBit 

The message also included a list of onion mirrors which the threat actor claimed were still in operation and had not been affected by the law enforcement action. They also claimed that they still had access to victim data and would continue to release this if the ransom was not paid. In response to the Law Enforcement claim that they had decryption keys, the threat actor stated that they had only been able to secure a small number of these and the majority of the data could not be decrypted.  

They also stated that they would continue to operate and while the law enforcement action had disabled their infrastructure for 4 days, that was because they had to update the source code. They continued to operate. Furthermore, the site indicated that they had an FBI leak and seemed to indicate they would respond to the action.  

Figure 7: LockBit blog page ack up with FBI listed as a victim

The law enforcement action which took months to coordinate appeared to only take LockBit offline for four days. Although the action will likely have some reputational impact, with affiliate groups possibly wary about working with the group knowing they are a target of law enforcement, most groups probably knew this was the case for one of the most prolific RaaS providers out there.  

It is also likely that the group will adopt more secure operations going forward, as they themselves admitted that they had been complacent in their operations due to the amount of funds they had amassed and how long they had been able to operate without issue. They will likely not make that mistake again.  

It is a constant conundrum for law enforcement to decide when they should take disruptive action against a group and when they should continue to watch them for intelligence purposes. Law enforcement had come under pressure to take action against LockBit due to their success and the number of victims that had been targeted, and disruption does send a message to the wider community. However, the disruption was short lived and likely angers the threat group to be more active and target more vulnerable areas that encouraging them to stop their activities.  

This was highlighted by the takedown of the BlackCat/ALPV ransomware group in late 2023, although the site was seized this did not last for long with the group managing to take the site back in a matter of days, they also lifted their ban on targeting victims such as hospitals. This highlights that while the seizure of a site can cause issues, if the individuals behind the group are not removed this is only a short-term solution. The fact that the NCA and the FBI continue to offer a reward for information regarding the individuals behind the group highlights that they still don’t know who they are.  

One could argue that it would be more profitable for law enforcement to maintain access to the threat actors’ servers and leak sites in order to find information that can help victims such as encryption keys or the data that has been stolen and view the group from within to find more information about them. This, after all, is the tactic that most threat actors use, maintaining persistence and lurking on systems to find the most damaging information. But Law Enforcement would have considered this and factored the risks before going public with their operation. Only time will tell the true impact this had on LockBit’s activities.  

Keep up with all DarkOwl research. Sign up for emails.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.