The takedown of the world’s largest ransomware gang, the Russian-based LockBit, by the FBI, Europol, and the U.K.’s National Crime Agency, today was a major moment in law enforcement’s fight against cybercrime.
By some estimates, LockBit, which until its takedown by authorities ran a ransomware-as-a-service offering, is responsible for around 25% of all ransomware out there on the internet. “It is a significant success for the law enforcement agencies,” says Alan Woodward, professor of cybersecurity at the University of Surrey.
Boeing, children’s hospitals, and the U.K.’s Royal Mail were all high-profile victims of ransomware sicced on victims by the gang. More than $120 million in payments were made to LockBit between 2019 and its takedown on February 20 by more than 2,000 victims, according to Nicole M. Argentieri, acting assistant attorney general at the Department of Justice.
Taking down the gang from the inside and replacing it with a message saying it was under the control of the U.K.’s National Crime Agency (NCA), the lead agency in the investigation, was a notable moment—and one that investigators and crime fighters were keen to crow about. “As of today, LockBit is effectively redundant,” Graeme Biggar, director-general of the NCA, told a press conference in London. “We have hacked the hackers.”
But beyond the fact of taking down the criminal gang, today’s announcement was also significant in another way. It was perhaps the most hyped demonstration of a criminal gang takedown in law enforcement history.
In advance of the midmorning press conference in the U.K., the NCA and other agencies began sharing hourly countdowns to the official announcement of the outcome of their investigation, named Cronos, on social media. The message behind the drumbeat of posts was simple: Something big is coming. By the time the press conference arrived, and precisely what had happened was unveiled, there was more attention on the case. “The law enforcement agencies are learning that it matters to public trust to see that this is done,” says Woodward. “It also signals to the criminals there will be more to come.”
Indeed, the press conference today is just the start of a series of announcements unpicking the LockBit gang, with more expected to come. The gang’s website was also repurposed and rebranded with information about indictments, sanctions, and arrests that led from the initial Cronos investigation. “Policing and intelligence are stepping more into the limelight in general,” says Agnes Venema, a security and technology scholar at the University of Malta. “It’s probably one way of showing what they’re doing. People are asking politicians to take action on these things, and they can’t prove they’re effective unless they are public about it to a degree.”
The way in which the takedown has been communicated is also an interesting development, adds hacker and Predicta Lab CEO Baptiste Robert. “We can see some bigger, state organizations like the FBI and NCA communicating like hackers,” he says. “This is an image they want to show: We are hackers fighting hackers, and we are using the same speech and rhetoric as these guys, and we’ll fight with the same weapons.”
That’s something Woodward agrees with—particularly when considering how extensively they defaced LockBit’s website (traditionally, law enforcement might only post a seizure notice, whereas here they deployed what one watcher called “grade A trolling”). “The law enforcement agencies wanted to show that even with Tor, criminal networks are vulnerable and the criminals are not always that good at their own security so hacking the hackers is now a police tactic,” Woodward says.
Beyond the hype, there were other intriguing findings from the investigation—for instance identifying, after searches of what they found within the network, that the criminals hadn’t destroyed the data they were paid ransoms for. “Once the law enforcement agencies had access to the network it became clear that the criminals operating it had no inner security,” says Woodward. “It quickly gave up data such as the Onion addresses for the Tor sites involved.” Using that information and more seized by law enforcement, the agencies have also published keys that will help victims decrypt data ensnared by tools developed by the LockBit gang.
“Our work does not stop here: together with our partners, we are turning the tables on LockBit—providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe,” says FBI deputy attorney general Lisa Monaco.
Robert points out that such a boastful approach to communication as has been displayed today is high risk, high reward. While law enforcement can crow now about their successes, such an approach can backfire—but in this instance, it’s shown to be successful. So far. “If LockBit comes back tomorrow,” he says, “that could change.”