More information has emerged about the business operations of the LockBit ransomware gang, a day after the UK's National Crime Agency (NCA) and its partners apparently managed to disrupt the group and deface its leak site.
According Register, the NCA found 187 groups and individuals registered within the LockBit affiliate portal. LockBit operated on a ransomware-as-a-service (RaaS) model, where multiple groups would sign up and use the encryption and infrastructure, in exchange for a share of the profits (essentially a ransom payment).
Officials say members registered between January 31, 2022 and February 5, 2024.
“Have a nice day”
“Hello [user name], Law Enforcement took control of the LockBit platform and obtained all the information contained therein. “This information relates to the LockBit group and you, its affiliate,” the NCA said in a message left on the affiliate portal, following the defacement. “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more. You can thank Lockbitsupp and their failing infrastructure for this situation…we may contact you very soon.”
“If you would like to contact us directly, please let us know. Have a nice day.”
LockBit is a Russia-based ransomware group that was considered one of the biggest, if not the biggest, threats in the ransomware industry. Given the location, it is highly unlikely that arrests will be made, but the NCA, along with the FBI and a number of other law enforcement agencies, managed to infiltrate LockBit's infrastructure and take it down. Whether or not LockBit returns in one form or another remains to be seen. However, now that law enforcement is turning its attention to affiliates, the ransomware industry may change forever.
“A large amount of data has been extracted from the LockBit platform before it was completely corrupted,” a notice appears on LockBit's website. “With this data, the NCA and its partners will coordinate further investigations to identify hackers who pay to be LockBit affiliates. Some basic details are published here for the first time.”
Ciaran Martin, former head of the UK's National Cyber Security Centre, told the BBC it was “one of the largest disruptions ever undertaken” against a ransomware operator. “Certainly by far the largest attack ever led by British police.”