In a coordinated action supported by Eurojust and Europol, judicial and law enforcement authorities from 10 different countries have severely disrupted LockBit, the world’s most active ransomware operation. Two members of the ransomware team have been arrested in Poland and Ukraine. In addition, law enforcement has compromised LockBit’s primary platform and other enabling infrastructure. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.
LockBit first emerged at the end of 2019, initially calling itself ‘ABCD’ ransomware. Since then, it has grown rapidly and by 2022 had become the most deployed ransomware variant worldwide. LockBit attacks are believed to have affected over 2,500 victims all over the world.
The group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.
The joint action enabled the various police forces to take control of much of the infrastructure that enables the LockBit ransomware to operate, including the darknet, and, in particular, the ‘wall of shame’ used to publish the data of victims who refused to pay the ransom. This action has disrupted the network’s ability to operate.
Authorities have also frozen more than 200 cryptocurrency accounts linked to the criminal organisation.
This international operation follows a complex investigation led by the UK National Crime Agency. Supported by Eurojust and Europol, law enforcement from nine other countries worked in close partnership with the National Crime Agency on this case, including authorities in France, Germany, Sweden, the Netherlands, the United States, Switzerland, Australia, Canada and Japan.
The case was opened at Eurojust in April 2022 at the request of the French authorities. Five coordination meetings were hosted by the Agency to facilitate judicial cooperation and to prepare for the joint action.
Europol’s European Cybercrime Centre (EC3) organised 27 operational meetings, and 4 technical 1-week sprints to develop the investigative leads in preparation of the final phase of the investigation. Europol also provided analytical, crypto-tracing and forensic support. In addition, three Europol experts were deployed to the command post in London during the action phase.
With Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation pooled their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit ransomware. These solutions have been made available free of charge on the ‘No More Ransom’ portal, which is available in 37 languages. So far, more than 6 million victim across the globe have benefited from No More Ransom, which contains over 120 solutions capable of decrypting more than 150 different types of ransomware.
The following authorities took part in this investigation:
- United Kingdom: National Crime Agency, South West Regional Organised Crime Unit
- United States: U.S. Department of Justice, Federal Bureau of Investigation – Newark
- France: JUNALCO (National Jurisdiction against Organised Crime) Public Prosecutor’s Office Paris Cybercrime Unit – C3N (cyber unit); Gendarmerie Nationale
- Germany: Central Cybercrime Department North Rhine-Westphalia (CCD), State Bureau of Criminal Investigation Schleswig-Holstein (LKA Schleswig-Holstein), Federal Criminal Police Office (Bundeskriminalamt)
- Sweden: Swedish Cybercrime Centre, Swedish Prosecution Authority
- The Netherlands: National Police (Team Cybercrime Zeeland-West-Brabant, Team Cybercrime Oost-Brabant, Team High Tech Crime); Public Prosecutor’s Office Zeeland-West-Brabant
- Australia: Australian Federal Police
- Canada: Royal Canadian Mounted Police
- Japan: National Police Agency
- Switzerland: Zurich Cantonal Police; Public Prosecutor’s Office II of the Canton of Zurich