Several operations of the notorious ransomware gang LockBit have been seized by global law enforcement authorities in a coordinated takeover under the banner âOperation Cronos.â
Eight â.onionâ domains owned by the ransomware group have been taken over by the authorities and as of Tuesday, were displaying a message that read, âThe site is now under the control of law enforcement.â
âThis site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,â the message on the dark web portals read.
Additionally, the takeover has also locked out LockBitâs affiliates attempting to log into the affiliate panel.
Authorities to share further details
While the authorities or any other entities involved in âOperation Cronosâ have released no public confirmation or press release regarding the seizure, the display message on the domains hints at a further revealing of operation details.
âWe can confirm that LockBitâs services have been disrupted as a result of International Law Enforcement action â this is an ongoing and developing operation. Return here for more information at 11:30 GMT on Tuesday 20th Feb,â the message added.
Meanwhile, key operations of the ransomware gang are seized including access to LockBitâs affiliate panel, a central control panel for LockBitâs affiliate groups to create and modify various LockBit ransomware-as-a-service (RaaS) samples, manage attacks and victims, run attack analytics and publish blog posts.
âLaw Enforcement has taken control of Lockbitâs platform and obtained all the information held on there,â said a block alert for login attempts made on the panel. âThis information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more.â
LockBit faces takedown after a popular run
LockBit ransomware-as-a-service (RaaS) gained prominence quickly since its launch in 2019, making it the leading ransomware used in 2022, second only to the Russia-backed Conti ransomware group. The first quarter of 2022 noted 15% ransomware attacks by LockBit, while Conti contributed 16%, according to a report by ransomware incident response firm Coveware.
LockBitâs quicker evolution and claims of an edge over the competition, combined with Contiâs disintegration of smaller groups, led to it becoming even more formidable. With the launch of lockBit 3.0 in the second half of 2022, the group filled in the void from Contiâs disappearance and became the most used ransomware by the end of the third quarter of 2022.
The group sells access to the ransomware malware and associated infrastructure to affiliate (third-party) cybercriminals or groups, charging them a commission of 25% on the money received as ransom from attacks. Like most RaaS gangs, LockBit also employs double extortion tactics, allowing its affiliates to exfiltrate data out of victim organizations on top of encryption, for additional leak threats.