An international law enforcement operation conducted on Monday seized servers and disrupted the infrastructure utilized by the LockBit ransomware syndicate, marking the latest effort to hinder the technical apparatus of criminal and espionage factions.
Dubbed "Operation Cronos," the endeavor, orchestrated by the Federal Bureau of Investigation (FBI) and the U.K.'s National Crime Agency in collaboration with various global partners, targeted a site utilized by LockBit for data leakage, the group's file-sharing service and communication server, as well as several affiliate and support servers. Additionally, a server hosting LockBit's administrative panel was seized, as revealed by a senior FBI official to CyberScoop.
As a significant facet of the operation, the FBI gained access to nearly 1,000 decryption keys, potentially enabling the retrieval or mitigation of ongoing LockBit extortion activities.
"This operation exemplifies the distinctive and substantial mission the FBI holds to impose repercussions on highly sophisticated cyber actors while simultaneously prioritizing assistance to cyberattack victims," expressed Brett Leatherman, the FBI's Deputy Assistant Director of Cyber Operations, during an interview.
A representative of LockBit acknowledged the operation through an online post on VX-Underground by stating, "FBI pwned me."
Graeme Biggar, Director General of the National Crime Agency, declared, "As of today, LockBit are locked out. We have significantly impaired the capabilities and notably the credibility of a group reliant on secrecy and anonymity."
Europol reported that two individuals were apprehended during the operation — one in Poland and the other in Ukraine.
This takedown marks the latest in a series of FBI operations aimed at disrupting cybercrime and cyberespionage infrastructure worldwide under Rule 41, a legal framework granting the FBI access to computers across multiple jurisdictions for modification. Recently, the agency announced the dismantling of a botnet controlled by Russian military intelligence. In January, the FBI dismantled a Chinese botnet used to infiltrate sensitive U.S. targets.
Emerging in September 2019, LockBit is believed to be the most widely employed ransomware variant globally. Leatherman revealed that it has been utilized by over 100 affiliates worldwide, resulting in over $144 million in ransom payments. Approximately 2,000 businesses and entities worldwide, including at least 1,600 in the U.S., have been targeted. In 2023, it was the most prevalent ransomware variant targeting industrial facilities, accounting for a quarter of all such incidents tracked by the cybersecurity firm Dragos.
As part of Tuesday's operation, the U.S. government unsealed indictments against two Russian nationals allegedly involved in facilitating LockBit attacks: Artur Sungatov and Ivan Gennadievich Kondratyev, also known as "Bassterlord."
Bassterlord, recognized within the cybercrime community, is alleged to have produced training materials for aspiring criminals and participated in multiple interviews. In an interview with the Click Here podcast, Bassterlord identified himself as "Ivan," claimed Ukrainian nationality, and asserted retirement from criminal endeavors.
Leatherman described the two individuals as "original affiliates, dating back to at least LockBit 1.0."
Ransomware groups like LockBit typically operate on an affiliate model, wherein a central entity controls the infrastructure, leases access to it, and shares profits from operations conducted by "affiliates" using that infrastructure.
Sungatov and Kondratyev remain at large, and alongside Tuesday's indictment, the U.S. Treasury Department imposed sanctions against them. The U.S. State Department is poised to announce rewards of up to $10 million for information leading to the identification or location of LockBit leaders and $5 million for information on individuals involved in LockBit ransomware activities.
Earlier this month, similar rewards were offered by the State Department for information related to the ALPHV/BlackCat and Hive ransomware operations.
The operation against LockBit prompts inquiries into its lasting impact. Previous operations against such groups have resulted in temporary disruptions, only for the groups to resurface using new infrastructure. In December, the FBI seized some of ALPHV's infrastructure, but the group managed to regain control, and a version of the site remains active.
Leatherman refrained from divulging specifics of the LockBit operation but stated that the actions "disrupted the infrastructure behind LockBit in a completely different manner than BlackCat." While it's conceivable for a variant to "reconstitute," Leatherman asserted that LockBit would be unable to regain control of the servers utilized by the actors.
Both investigations remain ongoing, with entities believing themselves to be victims of LockBit encouraged to visit a new landing page established by the FBI.
The unsealed indictments on Tuesday mark the fourth and fifth cases brought against accused LockBit affiliates since 2022. Mikhail Vasiliev, a dual Russian and Canadian citizen, was apprehended in Canada in November 2022. He pleaded guilty in Canada on February 8 to cyber extortion and weapons charges, awaiting extradition to the United States.
Ruslan Magomedovich Astamirov, a Russian national, was arrested in Arizona in June 2023 for his alleged involvement in LockBit attacks.
Mikhail Pavlovich Matveev, another Russian national known as Wazawaka, was indicted in May 2023 for his role in ransomware attacks, including LockBit, Babuk, and Hive ransomware variants. The State Department offers a reward of up to $10 million for information leading to his arrest.
