Skip to main content
close search
site logo
Dive Brief

LockBit operations dismantled following international takedown

A global coalition of law enforcement partners seized the infrastructure of the prolific ransomware group, obtaining decryption keys along the way.

Published Feb. 20, 2024
David Jones's headshot
Reporter
Attorney General Merrick Garland, flanked by Deputy AG Lisa Monaco and FBI Director Christopher Wray. Anna Moneymaker via Getty Images

Dive Brief:

  • An international group of law enforcement partners said it disrupted LockBit ransomware operations Tuesday, seizing the infrastructure of one of the most prolific ransomware groups in recent history. 
  • The Department of Justice, working in conjunction with U.K. authorities and other international law enforcement agencies, unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev, charging them with deploying LockBit against numerous companies around the U.S. and other targets overseas. 
  • The FBI and U.K. National Crime Agency, working with multiple partners, also seized numerous public facing websites and servers used by Lockbit. Authorities obtained decryption keys that will allow hundreds of targeted organizations and others to regain their stolen data.

Dive Insight:

LockBit has targeted more than 2,000 ransomware victims, ranging from large enterprises to small, local businesses, collecting more than $120 million in ransom payments, according to the DOJ.

LockBit was considered the most dominant threat group in 2023, commanding 25% of the ransomware market, according to SecureWorks. The next-most prolific group AlphV, which is also known as BlackCat, controlled 8.5% of the market. 

LockBit has claimed responsibility for the attack against the U.S. broker-dealer arm of the Industrial and Commercial Bank of China. The attack caused more than $9 billion in assets, backed by U.S. Treasuries, to be disrupted, according to U.S. officials. 

LockBit claimed credit for the January attack on trading platform EquiLend and previously claimed an attack of the California Department of Finance in 2022.

In November the FBI and the Cybersecurity and Infrastructure Security Agency issued an advisory about LockBit 3.0 affiliates exploiting CitrixBleed to launch attacks against various organizations, including Boeing. 

“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world,” Attorney General Merrick Garland said in a video statement announcing the operation. “Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation.”

Sungatov allegedly began deploying ransomware as early as January 2021 against a range of victims, according to the indictment. These included manufacturing, logistics, insurance and other companies in various locations, including Minnesota, Indiana, Wisconsin, New Mexico, and Puerto Rico. International companies were targeted in Singapore, Taiwan and Lebanon, according to the indictments. 

Kondratyev, known online as “Bassterlord,” allegedly deployed LockBit against municipal and private targets in Oregon, New York and Puerto Rico.

The two men allegedly joined an international LockBit conspiracy, which included Mikhail Pavlovich Matveev and Mikhail Vasiliev. Matveev was previously charged in May and has a $10 million bounty. Vasiliev was previously charged in November 2022, and is in custody in Canada. 

The law enforcement interventions come as researchers say private sector defenders can only do so much to protect against malicious criminal activity and capabilities of law enforcement are vital. 

“Law enforcement can take the fight further, providing complimentary action with powers to conduct technical disruption, seize illicit funds and ultimately bring people to justice,” said Rafe Pilling, director of threat intelligence at Secureworks, via email. “This is critical to the fight against ransomware.”

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell