Law enforcement from eleven countries take LockBit offline

On February 19, 2024, an international police operation took control of the dark website of Russian-speaking ransomware gang, LockBit. The cybercriminals used the site to display the list of their victims and their ransom demands, and post stolen data. A message reading “this website is now under the control of law enforcement” currently shows on the homepage.

Led by Britain’s National Crime Agency, in partnership with the FBI, the international operation, named “Cronos”, brought together law enforcement from eleven countries, including the French gendarmerie. Germany, Australia, Canada, the United States, Finland, France, Japan, the Netherlands, the United Kingdom, Sweden and Switzerland took part.

The coalition explains it will “soon” give further details on the Cronos operation. Its impact on LockBit’s technical infrastructure and activities therefore remains uncertain. However the chance Cronos leads to significant arrests is slim, as most of the gang’s leaders live in Russia.

LockBit is, by far, the world’s leading Ransomware-as-a-Service. It is responsible for more than 2,000 known attacks. The group probably has hundreds of affiliates, targeting SMEs as well as more high-profile public and private sector entities.

In France, LockBit’s members attacked the hospital of Corbeil-Essonnes, the cosmetics company Nuxe, La Poste Mobile (mobile network provider), the French department of Loiret, Voyageurs du Monde (travel agency) and a Thales branch. On an international level, their most spectacular operations hit Royal Mail, Continental (automotive parts manufacturer), the California State administration, the port of Lisbon and the Subway fast-food chain.