U.S. and British officials on February 20 announced that they had infiltrated and disrupted a Russian-linked ransomware cybercrime group known as LockBit, arresting two Russian nationals in Poland and Ukraine, and indicting two others in the United States.
"We have hacked the hackers," Graeme Biggar, director-general of the National Crime Agency (NCA), said at a news conference in London, calling the LockBit ransomware syndicate "the world's most harmful cyber crime group” and saying it extracted $120 million from thousands of victims around the world in the four years since its founding.
Biggar said the NCA worked with the FBI, Europol, and agencies from nine other countries in Operation Cronos, which authorities said gained access to LockBit's systems by taking control of the gang's infrastructure and seizing their source code.
Hours before the announcement, the front page of LockBit's site on the so-called dark web was replaced with the words “this site is now under control of law enforcement” alongside the flags of Britain, the United States, and several other nations.
The United States on February 20 also unsealed an indictment against two Russian nationals, Artur Sungatov and Ivan Kondratyev, bringing to five the number of Russians it has indicted in connection with LockBit. The U.S. Treasury Department also imposed sanctions against Sungatov and Kondratyev.
In May 2023, the United States offered a $10 million reward for information leading to the arrest of one of the other indicted Russians, Mikhail Pavlovich Matveev. Two others have been taken into custody – one in Canada and one in the United States.
The U.S. Justice Department said the law enforcement agencies involved in Operation Cronos had seized control of numerous websites used by LockBit to connect to the organization's infrastructure and had taken control of servers used by LockBit administrators.
Lockbit was a "ransomware-as-a-service" operation, which cybersecurity experts say is a model that leases software and methods to others on the dark web, where they pitch their services for use in the extortion schemes.
In a typical ransomware cyberattack, the cybercriminals hack into an entity’s system and steal or freeze sensitive data, refusing to release it until a ransom is paid.
LockBit and its affiliates targeted governments, major companies, schools, and hospitals, causing billions of dollars of damage and extracting tens of millions in ransoms from victims, officials said.
Biggar said the network had been behind 25 percent of all cyberattacks in the past year. Those targeted have included Britain's Royal Mail, U.S. aircraft manufacturer Boeing, and a Canadian children's hospital.
Officials told reporters the gang targeted 2,000 victims worldwide, but also noted that the actual number is probably larger because victims generally resist admitting publicly that they have been targeted and have paid the ransom.
Biggar said a “large concentration" of the cybercriminals are in Russia and are Russian-speaking, indicating “some tolerance of cybercriminality within Russia." But he said law enforcement agencies had not seen any direct support for LockBit from the Russian state.
The NCA has previously warned that ransomware remains one of the biggest cyberthreats facing Britain and urges people and organizations not to pay ransoms if they are targeted.