NCA sting takes down LockBit ransomware criminals that targeted KNP Logistics

The sting operation, known as Operation Cronos and involving the FBI and international partners from nine other countries, has infiltrated the LockBit network, resulting in the the arrest of two LockBit actors this morning (20 February) in Poland and Ukraine, and the freezing of over 200 cryptocurrency accounts linked to the group.

Two other individuals, responsible for using LockBit to carry out ransomware attacks, are in custody in the US and will face trial there. The US has also unsealed indictments against another two individuals, who are Russian nationals, for conspiring to commit LockBit attacks. 

LockBit has carried out a proliferation of ransomware attacks since its launch four years ago, with thousands of victims targeted around the world, causing losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. 

The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the tools and infrastructure required to carry out attacks.

Victims’ networks were infected by LockBit’s malicious software, their data stolen and their systems encrypted. A ransom would then be demanded in cryptocurrency for the victim to decrypt their files and prevent their data from being published.

The NCA has taken control of LockBit’s primary administration environment, which enabled its affiliates to build and carry out attacks.

It has also gained control of the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims.

In a move which turns the tables on the criminals, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.

The agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organisations throughout the world. 

Some of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, which NCA said shows that, even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised.

LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over 12 hours this infrastructure, based in three countries, was seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates were also taken down.

The NCA said: ”As a result of our work, the NCA and international partners are in a position to assist LockBit victims. The agency has obtained over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks to offer support and help them recover encrypted data. FBI and Europol will be supporting victims elsewhere.”

Graeme Biggar, NCA director general, added: ”This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

The NCA also appealed to victims of ransomware to report any attacks as soon as possible, adding: ”The earlier people report, the quicker the NCA and partners are able to assess new methodologies and limit the damage they can do to others,” adding that victims should use the government’s Cyber Incident Signposting Site as soon as possible.

KNP Logistics Group, which included subsidiaries Knights of Old, Nelson Distribution, Steve Porter Transport and Merlin Supply Chain Solutions, suffered a major LockBit ransomware attack in June last year, which its administrators said hit key systems, processes and financial information and “adversely impacted” on the group’s financial position and its ability to secure additional investment and funding, forcing it into administration.

Cyber crime experts hailed the sting operation today. However Huseyin Can Yuceel, security researcher at Picus Security, also warned that unless arrests are made these sites could spring up again

”Ransomware groups often leverage public-facing vulnerabilities to infect their victims with ransomware. This time, Operation Cronos gave LockBit operators a taste of their own medicine,” he said.

”Although the LockBit group claims to have untouched backup servers, it is unclear whether they will be back online. Currently, LockBit associates are not able to log in to LockBit services. In a Tox message, adversaries told their associates that they would publish a new leak site after the rebuild. Takedowns are short-lived if no one is arrested.”

Andy Kays, chief executive at IT security service Socura, echoed Yuseel’s warning. He said: ”LockBit has long been a scourge to businesses, government agencies and security professionals the world over. It is arguably the most active ransomware group ever, whose attacks are both devastating and indiscriminate.

He added: ”At this stage, it’s always extremely difficult to know if a campaign like this will put a group out of action for good. This always depends on where the individuals are based, and if they are known to the authorities. We’ve seen time and time again, that the same individuals can re-emerge and re-group.”

Pointing to the countdown clock being used by NCA to release LockBit information on its website today, which echoes the method previously used by LockBit to bribe their victims, Kays hailed it as an ”an apt role reversal. Now it is LockBit whose future hangs in the balance as an online countdown clock ticks down to zero,” he said.

.