U.S., Global Law Enforcement Takes Down Prolific LockBit Ransomware Group

One of the most active ransomware groups in the world was busted by global law enforcement, its websites and servers seized, and key figures indicted.  

Websites and servers belonging to the LockBit ransomware group were seized by the U.K. National Crime Agency’s Cyber Division, in cooperation with the Department of Justice (DOJ), Federal Bureau of Investigation (FBI), and other international law enforcement partners.

Since first surfacing in early 2020, LockBit targeted over 2,000 victims and received more than $120 million in ransom payments, making it one of the most prolific ransomware groups on the dark web.

According to cybersecurity firm Palo Alto Networks, LockBit accounted for 23 percent of the nearly 4,000 global ransomware attacks in 2023.

LockBit, which is dominated by Russian speakers and does not attack former Soviet nations, operated by selling access to destructive malware, which purchasers could then use to attack networks, holding the information hostage in exchange for payment.

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation,” said U.S. Attorney General Merrick B. Garland. 

Authorities took down the website and instead erected pages for free recovery tools as well as information on the arrests and criminal charges that LockBit’s masterminds are facing.  

In addition, authorities gained “comprehensive access” to LockBit’s systems, allowing them to decrypt data and allow victims to regain access to their compromised systems.   

Brett Callow of the cybersecurity firm Emsisoft told the Associated Press that it’s “probably the most significant ransomware disruption to date.”

Two Indictments

DOJ announced indictments against two Russian nationals for their involvement in LockBit.

Artur Sungatov allegedly used LockBit to scam manufacturing, logistics, and insurance companies in Minnesota, Indiana, Puerto Rocio, Wisconsin, Florida, and New Mexico.

Ivan Kondratyev, aka “Bassterlord,” is accused of deploying Lockbit against municipal and private targets in Oregon, Puerto Rico, and New York, as well as victims in Singapore, Taiwan, and Lebanon.

With the indictment unsealed, a total of five LockBit members have now been charged for their participation in the LockBit conspiracy.

In concurrence with the criminal charges, the U.S. Treasury Department imposed sanctions on Sungatov and Kondratyev.

“We will continue our whole-of-government approach to defend against malicious cyber activities, and will use all available tools to hold the actors that enable these threats accountable,” said Deputy Treasury Secretary Wally Adeyemo.