Operation Cronos: Notorious LockBit Ransomware Disrupted

Lockbit ransomware disrupted

The notorious ransomware Lockbit has been targeted by an international coalition of law enforcement agencies. Currently, both the dark web site used by Lockbit for data leaks and the site used for ransom negotiations have been seized by authorities. However, some domains with lower traffic are still operational.

Lockbit is among the most infamous ransomware to date, with its orchestrating hacker syndicate launching targeted attacks on specific entities, while also employing malicious software to automatically seek out and exploit security vulnerabilities.

Once they successfully infiltrate an enterprise or institution, they first collect various types of data and upload it to servers under their control. Subsequently, they encrypt the data. If the enterprise or institution is unwilling to pay the ransom, they threaten to publish all the stolen data on the dark web, coercing the victims into paying the ransom.

This operation, involving multiple national law enforcement agencies, is codenamed Cronos. It has successfully dismantled parts of Lockbit’s infrastructure, especially the dark websites used for leaking data.

Currently, the dark web site for Lockbit’s data leaks indicates control by the UK’s National Crime Agency, working closely with the FBI and the international law enforcement task force, Operation Cronos.

The UK’s National Crime Agency has confirmed that Lockbit’s operations have been disrupted due to the international joint law enforcement effort. However, this is not the conclusion of the matter; the agency describes this as an ongoing and evolving operation.

Furthermore, the joint law enforcement agencies will issue a press release on February 20th at 12:30 CET, revealing details of this operation.

At least for now, it seems the joint law enforcement agencies have not entirely eradicated the criminal gang (which is generally an improbable outcome). One member of Lockbit claims that the FBI compromised their servers through a PHP vulnerability. However, their backup servers were not affected, as they do not use PHP.