LockBit ransomware operations seized by law enforcement in ‘Operation Cronos’

Several operations of the notorious ransomware gang LockBit have been seized by global law enforcement authorities in a coordinated takeover under the banner “Operation Cronos.”

Eight “.onion” domains owned by the ransomware group have been taken over by the authorities and as of Tuesday were displaying a message that read: “The site is now under the control of law enforcement.”

“This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the message on the dark web portals read.

Additionally, the takeover has also locked out LockBit’s affiliates attempting to log into the affiliate panel.

Authorities to share further details

While the authorities or any other entities involved in “Operation Cronos” have released no public confirmation or press release regarding the seizure, the display message on the domains hints that a further revealing of operation details may be forthcoming. “We can confirm that LockBit’s services have been disrupted as a result of International Law Enforcement action — this is an ongoing and developing operation. Return here for more information at 11:30 GMT on Tuesday 20th Feb,” the message added.

Meanwhile, key operations of the ransomware gang have been seized including access to LockBit’s affiliate panel, a central control panel for LockBit’s affiliate groups to create and modify various LockBit ransomware-as-a-service (RaaS) samples, manage attacks and victims, run attack analytics, and publish blog posts.

“Law Enforcement has taken control of Lockbit’s platform and obtained all the information held on there,” said a block alert for login attempts made on the panel. “This information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more.”

LockBit faces takedown after a popular run

LockBit ransomware-as-a-service (RaaS) gained prominence quickly since its launch in 2019, making it the leading ransomware used in 2022, second only to the Russia-backed Conti ransomware group. In the first quarter of 2022, 15% of ransomware attacks were perpetrated by LockBit, while Conti contributed 16%, according to a report by ransomware incident response firm Coveware.

LockBit’s quicker evolution and claims of an edge over the competition, combined with Conti’s disintegration of smaller groups, led to it becoming even more formidable. With the launch of lockBit 3.0 in the second half of 2022, the group filled in the void from Conti’s disappearance and became the most used ransomware by the end of the third quarter of 2022.

The group sells access to the ransomware malware and associated infrastructure to affiliate (third-party) cybercriminals or groups, charging them a commission of 25% on the money received as ransom from attacks. Like most RaaS gangs, LockBit also employs double extortion tactics, allowing its affiliates to exfiltrate data out of victim organizations on top of encryption, for additional leak threats.