More information about the business operations of the LockBit ransomware gang have emerged, a day after the UK National Crime Agency (NCA) and partners were able to apparently disrupt the group and deface its leak site.
According to The Register, the NCA found 187 groups and individuals registered inside the LockBit affiliate portal. LockBit operated on a Ransomware-as-a-Service (RaaS) model, in which various groups signed up and used the encryptor and the infrastructure, in exchange for a cut of the profits (the ransom payment, essentially).
The law enforcement says the affiliates registered between January 31, 2022, and February 5, 2024.
“Have a nice day”
“Hello [user name], Law Enforcement has taken control of LockBit’s platform and obtained all the information held on there. This information relates to the LockBit group and you, their affiliate,” the NCA said in a message left on the affiliate portal, following defacement. “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation… we may be in touch with you very soon.”
“If you would like to contact us directly, please get in touch. Have a nice day.”
LockBit is a Russia-based ransomware group that was considered one of the biggest threats – if not the biggest threat – in the ransomware industry. Given the location, arrests are highly unlikely, but the NCA, together with the FBI and a host of other law enforcement agencies, managed to infiltrate LockBit’s infrastructure and take it down. Whether or not LockBit returns in one form or another remains to be seen. However, with law enforcement turning their attention towards the affiliates, it’s possible that the ransomware industry will change forever.
“A large amount of data has been exfiltrated from LockBit’s platform before it was all corrupted,” a notice now stands on the LockBit website. “With this data, the NCA and partners will be coordinating further enquiries to identify the hackers who pay to be a LockBit affiliate. Some basic details published here for the first time.”
Ciaran Martin, the former head of the UK’s National Cyber Security Centre told the BBC that this was “one of the most consequential disruptions ever undertaken” against a ransomware operator. “Certainly by far the biggest ever led by British police.”
