A joint effort that included the U.S. Department of Justice, the U.K. National Crime Agency's (NCA) Cyber Division, the FBI, and other international law enforcement partners announced today that they have disrupted one of the most active ransomware groups in the world, LockBit.
The task force seized several websites used by the outfit to connect to the organization's infrastructure. Authorities also seized control of servers used by LockBit administrators, which should disrupt the bad actors' ability to attack and encrypt networks and extort victims by threatening to publish stolen data.
LockBit has hit more than 2,000 victims, many in the manufacturing industry, received more than $120 million in ransom payments and made ransom demands totaling hundreds of millions of dollars. Now, with the seizure, it's possible that victims can get their data back.
Most Read on IEN:
- Podcast: Breaking Down the Boeing Hack
- Stranded Space Factory Can Finally Return to Earth
- Podcast: Army Scraps Billion-Dollar Program; United Grounds New Planes; Russian Component Conspiracy
- Gen Z in Manufacturing: Working for Lockheed Martin
LockBit and their homegrown strand of malware is notorious for targeting the industrial sector, and were linked to last year’s attack on Boeing.
In a statement, Attorney General Merrick Garland said, "We have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data."
This could be a huge development, given that LockBit recently pioneered a bug bounty program that offered to pay up to $1 million to any hacker who could identify vulnerabilities within the group's malware strain.
Beginning today, victims targeted by LockBit's malware contact the FBI to determine whether affected systems can be successfully decrypted.
The Justice Department today also unsealed an indictment charging a pair of Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against several U.S. victims, including manufacturing businesses.
According to the indictment, from at least January 2021, Sungatov deployed LockBit ransomware against victim corporations and took steps to fund additional LockBit attacks against other victims. Sungatov allegedly deployed LockBit ransomware against manufacturing, logistics, and other companies located in Minnesota, Indiana, Puerto Rico, Wisconsin, Florida, and New Mexico.
The LockBit ransomware variant first appeared around January 2020 and was one of the world's most active and destructive variants.
Merrick Garland says LockBit is not the first ransomware variant to be dismantled and will not be the last.
Deputy Attorney General Lisa Monaco adds that while authorities "have now destroyed the online backbone of the LockBit group," their work "does not stop here."
Victims can contact https://lockbitvictims.ic3.gov/ for more information.
Manufacturers are also encouraged to download, How to Defend Against Hackers, a new report from Rockwell Automation.
Additional reporting from Jeff Reinke, host of the Security Breach podcast.
