The world’s most prolific ransomware group has been disrupted as a result of an international investigation involving law enforcement agencies from 10 countries, including the AFP.
The ransomware group was allegedly responsible for running LockBit, which has caused billions of dollars’ worth of harm across the globe, including millions to Australian individuals and businesses since it was first identified in 2019.
The Europol-led investigation, known as Operation Cronos, has disrupted LockBit’s critical infrastructure. This included its primary platform and 34 servers across Australia, Netherlands, Germany, Finland, France, Switzerland, the United States and the United Kingdom.
France’s National Gendarmerie arrested two alleged LockBit actors in Poland and Ukraine, and a further three arrest warrants and five indictments have been issued by French and US law enforcement.
More than 200 cryptocurrency accounts allegedly owned by the ransomware group have been frozen by law enforcement, stripping the group of significant profits.
Authorities have obtained a significant amount of data since the investigation started, after the UK National Crime Agency took over LockBit’s technical infrastructure. Further arrests across the globe are expected.
LockBit was known to criminals as a ‘ransomware-as-a-service’ product, meaning criminals with little to no technological skills could purchase and use a ready-made ransomware program to attack their victims.
Ransomware is a type of malicious software that once installed onto a device or networks, encrypts the data and files, making them unusable. Cybercriminals use ransomware to extort payments from victims in exchange for the recovery of, and ability to regain access to the encrypted data.
Assistant Commissioner Scott Lee said the international investigation was a significant breakthrough in the global fight against cybercrime.
“Cybercrime is not restricted by borders and tackling this crime type requires a united, global response from law enforcement,” Assistant Commissioner Lee said.
“The AFP continues to work closely with our international law enforcement partners, as demonstrated through the recent disruption of the BlackCat ransomware group.
“This latest takedown is yet another example of the powerful outcomes that can be achieved through a united law enforcement front.
“This investigation has not only taken down the world’s most prolific ransomware group, but also damaged the group’s reputation and credibility beyond repair.
“We have obtained a vast amount of data from investigations so far and will continue to follow all leads and bring those responsible to justice.
Operation Aquila
Australia continues to experience persistent and pervasive cybercrime threats that target critical infrastructure, governments, industry and the Australian community.
The emergence of ‘ransomware-as-a-service’ has allowed criminals with relatively low technical capability to deploy sophisticated attacks.
In response to this growing threat, the AFP and the Australian Signals Directorate (ASD) established Operation Aquila in November 2022 to investigate, target and disrupt cybercriminal syndicates, with a priority on ransomware threat groups.
Under Operation Aquila, the AFP and ASD investigate the highest priority cyber criminals targeting Australia, including the LockBit and BlackCat ransomware groups.
AFP’s contribution to the operation includes criminal investigations, target development and disruption, and engagement with key international partners. In the 2022-23 financial year, this included analysing 204 ransomware incidents, undertaking 18 proactive preventative engagements and distributing 10 intelligence products.
How to protect yourself
The Japanese Police, supported by Europol, developed a decryption tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.
This solution has been made available for free on the ‘No More Ransom’ portal, available in 37 languages.
The AFP is committed to equipping all Australians with the knowledge and resources to protect themselves against cybercrime.
Watch our cybercrime prevention videos and protect yourself from being a victim of cybercrime.
The Australian Cyber Security Centre also has a range of practical guides to help organisations protect themselves against ransomware attacks.
If you believe you are a victim of ransomware or any other cybercrime, report it to ReportCyber. If there is an imminent threat to your safety, call Triple Zero.
