An international law enforcement operation on Monday seized servers and disrupted the infrastructure used by the LockBit ransomware syndicate, the latest in a string of operations aimed at hobbling the technical infrastructure of criminal and espionage groups.
In a series of indictments, court actions and sanctions, an operation dubbed “Operation Cronos” carried out by the Federal Bureau of Investigation and the U.K.’s National Crime Agency together with a range of international partners took control of a site used by LockBit to leak data belonging to its victims, the group’s file share service and communications server, various affiliate and support servers, and a server for LockBit’s administrative panel, a senior FBI official told CyberScoop.
As part of the operation, the FBI has obtained access to nearly 1,000 decryption keys, allowing for the potential recovery or remediation of ongoing LockBit extortion operations.
“This operation is demonstrative of the unique and impactful mission the FBI has to impose costs on highly sophisticated cyber actors and to simultaneously prioritize assistance to victims of cyberattacks,” Brett Leatherman, the deputy assistant director of cyber operations at the FBI, said in an interview.
A LockBit representative confirmed the operation in an online message posted on X by VX-Underground, an online malware repository. “FBI pwned me,” the representative said.
“As of today, LockBit are locked out,” Graeme Biggar, the National Crime Agency Director General, said in a statement. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
Two people were arrested as part of the operation — one in Poland and one in Ukraine — as part of the operation, Europol said in its statement.
The takedown is the latest in a string of FBI operations targeted at disrupting cybercrime and cyberespionage infrastructure around the world under Rule 41, a legal framework that enables the FBI to access computers across multiple jurisdictions and modify them. Last week, the agency announced the takedown of a Russian military intelligence-controlled botnet. In January, the FBI took down a Chinese botnet used to penetrate sensitive U.S. targets.
LockBit first emerged in September 2019 and is believed to be the world’s most widely used ransomware variant. Leatherman said it has been used by more than 100 affiliates around the world, resulted in more than $144 million in ransomware payments and that at least 2,000 businesses and other entities around the world, including at least 1,600 in the U.S., have been targeted by it. In 2023, it was the most used ransomware variant to target industrial facilities, accounting for a quarter of all such incidents tracked by the cybersecurity firm Dragos.
As part of Tuesday’s operation, the U.S. government unsealed indictments against two Russian nationals for their alleged roles in facilitating LockBit attacks: Artur Sungatov and Ivan Gennadievich Kondratyev (also known as “Bassterlord”).
Bassterlord is well known in the cybercrime ecosystem, having allegedly produced training materials for upstart criminals, according to an Analyst1 report, as well as participating in multiple interviews. In an interview with the Click Here podcast, Bassterlord said he preferred to go by “Ivan,” that he was Ukrainian, and that he had retired from his criminal career.
Leatherman described the two men as “original affiliates, from at least LockBit 1.0.”
Ransomware groups like LockBit typically operate on an affiliate model, by which a central entity controls the infrastructure on which the ransomware operates, leases access to that system and then splits profits from the operations that the so-called “affiliates” run using that infrastructure.
Sungatov and Kondratiev remain at large and alongside Tuesday’s indictment, the U.S. Treasury Department imposed sanctions against them. The U.S. State Department is also set to announce rewards of up to $10 million for information leading to the identification or location of any LockBit leaders, as well as $5 million for information about individuals participating in LockBit ransomware activities.
Earlier this month, the State Department offered similar rewards for information related to the ALPHV/BlackCat and Hive ransomware operations.
The takedown operation against LockBit raises questions about how lasting it will be. Previous operations against such groups have seen their operations temporarily disrupted only for the groups to return using new infrastructure. In December, the FBI seized some of ALPHV’s infrastructure, but the group “unseized it,” and a version of the site remains active.
Leatherman declined to get into the specifics of the operation against LockBit, but said the actions “disrupted the infrastructure behind LockBit in a completely different manner than BlackCat.” It’s always possible for a variant to “reconstitute,” Leatherman said, but “LockBit will be unable to regain control of the servers the actors were using.”
Both investigations remain ongoing, he added. Entities that think they’ve been victims of LockBit are encouraged to go to a new landing page established by the FBI.
The indictments unsealed Tuesday mark the fourth and fifth cases brought against accused LockBit affiliates since 2022. Mikhail Vasiliev, 34, a dual Russian and Canadian citizen, was arrested in Canada in November 2022. He pleaded guilty Feb. 8 in Canada to cyber extortion and weapons charges, and awaits extradition to the United States.
Ruslan Magomedovich Astamirov, a Russian national, was arrested in Arizona in June 2023 for his alleged role in LockBit attacks.
Mikhail Pavlovich Matveev, another Russian national and also known as Wazawaka, was indicted in May 2023 for his role in ransomware attacks that included LockBit malware, as well as Babuk and Hive ransomware variants. The State Department is offering a reward of up to $10 million for information leading to his arrest.
Updated Feb. 20, 2024: This article has been updated with comments from the FBI’s Brett Leatherman, an exchange between LockBit and VX-Underground, comments from NCA Director General Graeme Biggar and information about arrests in Poland and Ukraine.
