UK leads takedown of LockBit ransomware gang’s website

The LockBit ransomware gang’s website has been seized, several news agencies reported late Monday.

The Reuters news agency and The Register are carrying stories based on a new splash screen that has appeared on the gang’s website.

It says, “This site is now under the control of the National Crime Agency of the UK, working in close co-operation with the FBI and the international law enforcement task force, Operation Cronos.”

“This is an ongoing and developing operation,” the statement adds.

It suggests viewers check back at 11:30 GMT — which is 6:30 a.m. Tuesday Toronto time — for more news. There are no statements on the FBI or U.S. Justice department websites.

Reuters quotes an unnamed NCA spokesperson as confirming the action.

The new NCA splash screen says participating countries in the action include Canada, France, Japan, Switzerland, Germany, Australia, Sweden, the Netherlands and Finland.

Reuters quotes vx-underground, a cybersecurity research website, saying LockBit has posted messages in in Russian and shared on Tox, an encrypted messaging app, that the FBI hit its servers that run on the programming language PHP. The statement, which Reuters could not verify independently, added that the gang says it has backup servers without PHP that “are not touched”.

“This is likely the most significant disruption of a ransomware operation to date,” Brett Callow, a Canadian-based ransomware threat analyst at Emsisoft, said to ITWorldCanada.com.

“Lockbit is one of the longest-running cybercrime operations and has demonstrated cockroach-like durability. This disruption sends a clear message that no group is bulletproof and its affiliates and other associates will be wondering whether law enforcement has captured information that points to them. There’s more risk than ever. Cybercrimals know they can no longer operate with the impunity they once had.

LockBit has been targeted for some time by law enforcement agencies. That led to the arrest in November, 2022 of a man in Bradford, Ont., for his alleged role in the gang. Mikhail Vasiliev pleaded guilty on February 8th to multiple counts involving cyber-extortion, mischief and weapons charges relating to acts in Canada, including ransomware attacks on Toronto’s Hospital for Sick Children and the Indigo book chain.

The U.S. wants to extradite him to face charges there.

Last June, cybersecurity agencies from seven countries including Canada and the U.S. released a joint background paper on the Lockbit ransomware gang.

Measured by the number of victims claimed on the LockBit data leak site, in 2022, the gang was the most active global ransomware group that year.

When that report was issued seven months ago, the U.S. estimated victim organizations in that country alone had paid the gang US$91 million in ransoms since LockBit activity was first seen in January, 2020. The U.S. estimated 16 per cent of reported ransomware attacks on American government entities in the country — including schools and police forces — were identified as LockBit.

Canada estimated LockBit was responsible for 22 per cent of attributed ransomware incidents in 2022.