An international task force, headed by the UK’s National Crime Agency (NCA) has arrested two people from Poland and Ukraine allegedly involved with the LockBit ransomware that has plagued the world since 2019. In addition to the arrests, the technical infrastructure that allows LockBit to operate has been seized by law enforcement.
According to Europol, which helped coordinate the operation, authorities have also frozen a whopping 200 cryptocurrency accounts linked to the organisation. It believes that this move will help to disrupt the financial incentive driving ransomware attacks.
While the two arrests are no doubt important, the LockBit network is more than just the core developers, it also includes affiliates. The data that has been collected in this investigation will now be used to target the leaders of the group, developers, affiliates, infrastructure, and criminal assets linked to LockBit.
Describing how the group carries out its attacks, Europol writes:
“The group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.
LockBit’s attack presence is seen globally, with hundreds of affiliates recruited to conduct ransomware operations using LockBit tools and infrastructure. Ransom payments were divided between the LockBit core team and the affiliates, who received on average three-quarters of the ransom payments collected.”
Neowin has carried some coverage about LockBit over the years. In 2023, for example, we reported that a partner of TSMC had been affected by LockBit and that the hackers were demanding a ransom of $70 million from TSMC otherwise they would publicly release stolen data.
With any luck, this action by law enforcement will be a knockout blow for the criminals involved with the ransomware. We’ll have to wait and see if any other actors fill in the gap left by those who have been apprehended.
Source: Europol