US, international partners disrupt LockBit ransomware operations

The FBI and other international law enforcement agencies seized the main website of the prolific LockBit ransomware group and several public sites the gang used to connect to its main infrastructure, officials announced Tuesday.

The operation put LockBit’s main site under the control of the United Kingdom's National Crime Agency, disrupting the hackers’ ability to breach and encrypt networks by taking down the main servers used by the group’s administrators, the announcement added. Officials also said they developed a tool that would allow victims targeted by LockBit to potentially restore their systems that have been encrypted by the group.

The Justice Department also unsealed indictments against two Russian nationals, alleging they targeted multiple U.S. manufacturing firms with LockBit, as well as several international businesses focused on semiconductors and other industries. DOJ also unsealed New Jersey-based search warrants that enabled the FBI to hamper the group’s operations, as well as an affiliated platform known as “StealBit” that LockBit members used to transfer victims’ data.

The Russian nationals — Artur Sungatov and Ivan Kondratyev — are accused of using LockBit to target U.S. manufacturing, logistics and insurance companies based in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida and New Mexico, and they may have ties to other LockBit operatives previously charged by law enforcement officials.

LockBit first emerged in 2020 and has caught the attention of the Cybersecurity and Infrastructure Security Agency and its international equivalents, becoming a major global ransomware operation that’s targeted some 2,000 victims since its inception by holding organizations’ sensitive data hostage in exchange for a ransom payment. CISA marked it as the most active ransomware collective in the world in 2022. 

LockBit, whose members are generally Russian-speaking and are believed to be based in Russia, became the subject of a major ransomware attack on the Chinese government-owned Industrial Commercial Bank of China in November. The incident targeted the world’s largest lender and showed that, despite growing Russia-China geopolitical alliances, the hacking group appeared to be indifferent to cross-border dynamics as the two nations have exhibited heightened interest in targeting U.S. businesses and critical infrastructure.

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation,” Attorney General Merrick Garland said in a written statement. “LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last.”