Law enforcement agencies from 10 countries have disrupted the notorious LockBit ransomware operation in a joint operation known as ''Operation Cronos."
According to a banner displayed on LockBit's data leak website, the site is now under the control of the National Crime Agency of the United Kingdom.
"The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos," the banner reads.
"We can confirm that Lockbit's services have been disrupted as a result of International Law Enforcement action - this is an ongoing and developing operation."
While Lockbit's leak site is no longer accessible, showing the seizure banner embedded below or an "Unable to connect" error saying the connection was refused, some of the gang's other dark web sites (including other sites used to host data and send private messages to the gang) are still up.
BleepingComputer has also confirmed that LockBit's ransom negotiation sites are down but do not currently display a seizure message by the NCA.
"The NCA can confirm that LockBit services have been disrupted as a result of international law enforcement action. This is an ongoing and developing operation," an NCA spokesperson told BleepingComputer.
The law enforcement agencies behind Operation Cronos are expected to publish a joint press release tomorrow at 12:30 CET.
The LockBit operation is run by a threat actor known as LockBitSupp, who communicates over the Tox messaging service. His account status on the service now shows a message stating that the FBI breached the ransomware operation's servers using a PHP exploit.
"FBI f****d up servers via PHP, backup servers without PHP can't be touched," reads LockBitSupp's translated status message written in Russian.
The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019 and has since targeted a wide range of high-profile organizations worldwide.
Police have also taken down LockBit's affiliate panel and added a message saying LockBit source code, chats, and victim information were also seized.
"Law Enforcement has taken control of Lockbit's platform and obtained all the information held on there. This information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," the message displayed on the LockBit panel reads.
"You can thank Lockbitsupp and their flawed infrastructure for this situation... we may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the UK, the FBI, Europol, and the Operation Cronos Law Enforcement Task Force."
LockBit's victim list includes the UK Royal Mail, the City of Oakland, the Continental automotive giant, and the Italian Internal Revenue Service.
Most recently, Bank of America warned customers their personal information was exposed in a data breach after Infosys McCamish Systems (IMS), one of its service providers, was hacked in an attack claimed by the LockBit ransomware gang.
Cybersecurity authorities in the United States and partners worldwide said in a joint advisory released in June that the LockBit gang has extorted at least $91 million from U.S. organizations following as many as 1,700 attacks since 2020.
In recent years, law enforcement also seized ALPHV (BlackCat) ransomware's servers and Hive ransomware's Tor payment and data leak sites.
Update February 19, 17:20 EST: Added NCA statement confirming LockBit disruption.
Update February 19, 18:05 EST: Added details on LockBit seized panel, Tox status message.
Comments
Dominique1 - 1 week ago
If the authorities exploited a PHP vulnerability, so can bad actors, and this is even more concerning. PHP needs to fix this.