The United Kingdom has played the lead role in an operation carried out with the intention of disrupting what is widely regarded as the largest criminal ransomware gang in the world.

The Lockbit group’s services are what high-level criminal gangs purchase to enable them to hack into computers belonging to major organisations, with sophisticated ransomware. They lock out their users and steal highly sensitive data and threaten to release it unless a ransom is paid.

Now, in a move billed as one of the most significant disruptions to the cyber-criminal fraternity, the National Crime Agency (NCA) has managed to infiltrate systems belonging to Lockbit and in a role-reversal, they have stolen its data.

Earlier this week a message appeared on (what is believed to be the Russian based) Lockbit’s website, which stated that it was “now under the control of law enforcement”, which along with the UK, included the FBI and Europol.

The group emerged around 2019 and has established itself as a dominant force, with estimates suggesting that they hold up to a quarter of the market for ransomware. It is thought they have been responsible for incidents that have led to losses in monetary terms totalling billions.

In the hands of the NCA

In what will be a major blow for Lockbit, the well-planned operation has seen the NCA technical experts take control of its target’s systems, seemingly without any counter measures being activated.

There has been early claims that back up servers were not affected, but there can be no doubting that this move will have been hugely disruptive, a massive inconvenience and potentially destructive.

The criminal group’s own data detailing much of its activities is now in the hands of the NCA.

Multiple forces

Having gained full control of the website on the dark web, a message was placed which read: “The site is under the control of the National Crime Agency of the UK, working in close co-operation with the FBI and the international law enforcement task force, ‘Operation Cronos’.”

Other police organisations believed to be involved were forces from France, Japan, Switzerland, Canada, Australia, Sweden, the Netherlands, Finland and Germany.

Coming for the affiliates

Also visible on the site now are details of victims and the amount of money extorted from them. Customers who used Lockbit for their malicious software and criminal advice were referred to as affiliates, and the NCA included in their message a line aimed at these affiliates simply saying: “We may be in touch with you very soon.”

Branding takes a massive hit

There have been so-called “take-downs” in past operations, but the criminal groups re-emerged shortly afterwards sometimes stronger than ever. This time the hope is that the credibility of Lockbit will have taken a severe hit, and the damage to its reputation will be far reaching.

They have relied heavily on branding and right now the brand is very publicly in tatters.

Many choose to say nothing

The head of the NCA, Graeme Biggar, said there were thousands of victims globally, including 200 that were known of in the UK, but crucially he added that in reality there probably has been many more, who have for what ever reason, never reported the extortion.

Consequential disruption

Ciaran Martin, the former head of the UK’s National Cyber Security Centre was certainly upbeat on hearing the news: “On the face of it, this is one of the most consequential disruptions ever undertaken against one of the giants of ransomware, and by far the biggest ever led by British police,” was his optimistic reaction.

He added that there are few, if any, bigger players than Lockbit in ransomware, and “the NCA seem to have wholly owned them, as we say in cyber security.”

Note of caution

 There was however a warning from Chester Wisniewski, director, global field CTO at cybersecurity firm Sophos, who praised the efforts of NCA, but pointed out that much of Lockbit’s infrastructure is still online, which he said probably means it is outside the grasp of the police.

On a positive note though he added: “Even if we don’t always get a complete victory, imposing disruption, fuelling their fear of getting caught and increasing the friction of operating their criminal syndicate, means this is still a win.”

He went on to stress the importance of continuing to band together to raise costs ever higher until such time as “we can put all of them where they belong, in jail.”

No pattern to targets

Among the high-profile reported targets in recent times were companies from varied industries, including the likes of the Industrial & Commercial Bank of China (ICBC), the Royal Mail, the Boeing aerospace company, and suppliers to the NHS.