A coalition of international law enforcement agencies has disrupted one of the most destructive strains of ransomware in recent history, Lockbit, which cybercriminals frequently use to attack American hospitals and schools.
In one of the largest cybercrime takedowns to date, agencies from the United States, United Kingdom and 12 other countries dismantled Lockbit’s infrastructure and replaced its dark web site with a list of agency press releases and resources for victims.
Brett Leatherman, deputy assistant director of the FBI Cyber Division, said in a press conference Tuesday that the takedown was “several years in the making.”
Attorney General Merrick Garland said in a YouTube video Tuesday that the action against Lockbit’s purveyors was “taking away the keys to their criminal operation.”
Ransomware is a type of cybercrime in which hackers use malicious software to encrypt a network of computers, usually belonging to a business or critical service, and demand a cryptocurrency payment for a promise to fix the problem. Such attacks routinely cripple operations at American hospitals, public schools, businesses and police departments.
The issue has become an epidemic, with victims sending their attackers a record $1 billion last year.
While the cybercrime underworld is littered with ransomware strains, Lockbit has been the most prolific in recent years, in part because its developers offer it to practically any would-be cybercriminal, said Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future.
“Anyone who pays to join is accepted with little or no vetting,” he said. That lack of scruples helps explain why it’s so frequently used to hack hospitals, he said.
At least five alleged members of the Lockbit operation have been named or arrested as part of the action. Two affiliates were arrested in Ukraine and Poland, respectively, at the request of French law enforcement, a Europol announcement said.
Many ransomware hackers are located in Russia, which has enabled a thriving cybercriminal scene and does not extradite its own citizens, frustrating authorities in countries where victims reside.
The Justice Department issued indictments for Russian nationals Artur Sungatov and Ivan Kondratyev, who have been named for the first time publicly, and said that an at-large alleged Russian cybercriminal, Mikhail Matveev, was also involved with Lockbit. Last year, the State Department offered a $10 million reward for information that leads to his arrest.
With those core suspects seemingly still free to operate in Russia, there’s little doubt that they could rebuild Lockbit’s empire, said Don Smith, vice president of threat intelligence at the cybersecurity company SecureWorks.
“I’m sure the rebuild wouldn’t take long but much of this operation has been about eroding trust in the criminal ecosystem,” he said.
