Operation Cronos: NCA reveals details of LockBit affiliates

Operation has been crippled - for now

Operation Cronos: NCA reveals details of LockBit affiliates

The UK's National Crime Agency (NCA) has revealed further details on LockBit, the ransomware group whose infrastructure law enforcement breached earlier this week.

On Monday a global effort led by the NCA saw the takedown of LockBit's dark web leak sites and the acquisition of decryption keys.

The action was part of Operation Cronos, a multinational operation involving law enforcement agencies from the UK, USA, Germany, France, Australia, Switzerland, Finland and the Netherlands.

The NCA says it gained a wealth of data on the group's affiliates from LockBit's stolen infrastructure, revealing that 187 distinct entities registered between 31st January 2022 and 5th February 2024.

The affiliates, who engaged with LockBit's ransomware-as-a-service model, profited from deploying LockBit's ransomware in exchange for a share of the extorted funds.

A message posted by law enforcement on LockBit's website explains that large amounts of data have been exfiltrated from LockBit's platform, and the NCA and its allies will be conducting more enquiries to identify the hackers who pay to be LockBit affiliates.

The NCA has also defaced the affiliate portal with a message directed at all affiliates - one that should be strikingly familiar for any criminal cyber group:

"Hello [user name], Law Enforcement has taken control of LockBit's platform and obtained all the information held on there. This information relates to the LockBit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation… we may be in touch with you very soon," the message reads.

Stomping StealBit

The multinational operation also targeted StealBit, a bespoke data exfiltration tool used by LockBit affiliates.

StealBit, initially deployed alongside LockBit 2.0 attacks since 2021, enabled the theft and processing of victim data. The NCA said all six of StealBit's proxy servers have been located and "destroyed."

The agencies also claim to have seized 34 LockBit servers globally, and over 200 crypto wallets the gang used to collect ransom payments.

At least three LockBit affiliates have been apprehended in coordinated operations in Ukraine and Poland.

Ukrainian cyber police announced on Wednesday the arrest of a "father and son" duo suspected of carrying out cyberattacks on behalf of LockBit, impacting individuals, state agencies, enterprises and healthcare institutions in France.

The suspects were apprehended in the western Ukrainian city of Ternopil, where authorities searched their residences, confiscating cell phones and computer equipment believed to have been used in the commission of cybercrimes.

In parallel, Polish law enforcement arrested a 38-year-old individual in Warsaw, identified as an alleged affiliate of LockBit.

Meanwhile, the United States escalated its efforts to combat LockBit and its affiliates, announcing a $15 million reward for information leading to the arrest or conviction of any individual involved in the ransomware group.

The rewards, facilitated through the Transnational Organized Crime Rewards Program (TOCRP), offer $10 million for information aiding in the identification or location of LockBit leadership, with an additional $5 million earmarked for tips leading to the apprehension of LockBit ransomware affiliates.

Earlier this week, the United States Department of Justice (DOJ) unsealed indictments against two alleged members of the LockBit group, Russian nationals Artur Sungatov and Ivan Kondratiev, aka Bassterlord.

The indictments accuse them of deploying the LockBit ransomware against victims in multiple US states and Puerto Rico, as well as globally in sectors such as manufacturing, logistics and insurance.

Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.