LockBit hit again by international law enforcement, members arrested and servers seized

In yet another blow to the LockBit ransomware group, a joint operation by international law enforcement agencies has resulted in the arrest of four LockBit members and the seizure of critical servers used to power its operations. The coordinated effort, involving 12 countries, Europol, and Eurojust, also led to the sanctioning of a Russian national named Aleksandr Ryzhenkov who has ties with the notorious EvilCorp ransomware group.

Among those arrested was a suspected LockBit developer, apprehended by French authorities, and two individuals detained in the UK for supporting a LockBit affiliate. Spanish law enforcement seized nine servers that were crucial to the group’s ransomware activities and arrested an administrator running a Bulletproof hosting service used by LockBit.

Operation Cronos: A multi-year campaign

The arrests and seizures are part of the third phase of Operation Cronos, a long-running campaign aimed at disrupting LockBit's criminal activities. This latest action builds upon previous successes following earlier strikes against LockBit’s infrastructure and affiliates in February and May 2024.

Notorious ransomware gang

Between 2021 and 2023, LockBit was the most widely deployed ransomware variant globally, targeting sectors such as financial services, healthcare, government, energy, and more. The group operated on a ransomware-as-a-service model, selling access to affiliates and taking a cut of the ransom payments.

It was only a matter of time before they had a target on their heads.

Technical Expertise and Decryption Tools

The operation benefited from the technical expertise of law enforcement agencies and the cybersecurity sector. The Japanese Police, National Crime Agency, and Federal Bureau of Investigation developed decryption tools to help victims recover files encrypted by LockBit ransomware. These tools, along with others for various ransomware families, are freely available on the No More Ransom portal.

Europol has revealed it played a pivotal role in facilitating information exchange, coordinating operational activities, and providing analytical support. The agency's advanced capabilities enabled the identification of key targets and the tracking of cryptocurrency transactions associated with LockBit's operations.