{ "id": "b44c42ba-ca3c-4839-a983-abb5e75be05b", "created_at": "2026-04-06T00:22:25.159623Z", "updated_at": "2026-04-10T03:33:15.536198Z", "deleted_at": null, "sha1_hash": "2d2fb2f7c849f8eef89e030f8890ee3bfb18799a", "title": "LockBit power cut: four new arrests and financial sanctions against affiliates", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 477162, "plain_text": "LockBit power cut: four new arrests and financial sanctions\r\nagainst affiliates\r\nBy Europol\r\nPublished: 2024-10-01 · Archived: 2026-04-05 21:55:18 UTC\r\nEuropol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and\r\nled to four arrests and seizures of servers critical for LockBit’s infrastructure. A suspected developer of LockBit\r\nwas arrested at the request of the French authorities, while the British authorities arrested two individuals for\r\nsupporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware’s\r\ninfrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group. In\r\naddition, Australia, the United Kingdom and the United States implemented sanctions against an actor who the\r\nNational Crime Agency had identified as prolific affiliate of LockBit and strongly linked to Evil Corp. The latter\r\ncomes after LockBit’s claim that the two ransomware groups do not work together. The United Kingdom\r\nsanctioned fifteen other Russian citizens for their involvement in Evil Corp’s criminal activities, while the United\r\nStates also sanctioned six citizens and Australia sanctioned two.\r\nLockBit full infrastructure in the crosshairs of law enforcement\r\nThese are some of the results of the third phase of Operation Cronos, a long-running collective effort of law\r\nenforcement authorities from 12 countries, Europol and Eurojust, who joined forces to effectively disrupt at all\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates\r\nPage 1 of 3\n\nlevels the criminal operations of the LockBit ransomware group. These actions follow the massive disruption of\r\nLockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took\r\nplace against LockBit administrators in May and subsequent months.\r\nBetween 2021 and 2023, LockBit was the most widely employed ransomware variant globally with a notable\r\nnumber of victims claimed on its data leak site. Lockbit operated on the ransom as a service model. The core\r\ngroup sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit\r\nransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as\r\nfinancial services, food and agriculture, education, energy, government and emergency services, healthcare,\r\nmanufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit\r\nransomware attacks display significant variation in observed tactics, techniques and procedures.\r\nNo More Ransom to decrypt your files\r\nWith Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation\r\nhave concentrated their technical expertise on developing decryption tools designed to recover files encrypted by\r\nthe LockBit Ransomware.\r\nThe support from the cybersecurity sector has also proven crucial for minimising the damage from ransomware\r\nattacks, which remains the biggest cybercrime threat. Many partners have already provided decryption tools for a\r\nnumber of ransomware families via the ‘No More Ransom’ website.\r\nThese solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages. So\r\nfar, more than 6 million victims around the globe have benefitted from No More Ransom, which contains over\r\n120 solutions capable of decrypting more than 150 different types of ransomware.\r\nEuropol’s support\r\nEuropol facilitated the information exchange, supported the coordination of the operational activities and provided\r\noperational analytical support, as well as crypto tracing and forensic support. The analysis workflow proposed\r\nafter the first operation enabled a joint work focused on the identification of the LockBit actors. The advanced\r\ndemixing capabilities of Europol’s Cybercrime Centre enabled the identification of several targets. Following the\r\ninitiation operations against LockBit’s infrastructure in the beginning of 2024, Europol organised seven technical\r\nsprints, three of which were fully dedicated to cryptocurrency tracing. During the action days, Europol deployed\r\nan expert to provide on-the-spot support to the national authorities.\r\nThe Joint Cybercrime Action Taskforce (J-CAT) at Europol supported the operation. This standing operational\r\nteam consists of cyber liaison officers from different countries who work from the same office on high-profile\r\ncybercrime investigations.\r\nAuthorities participating in Operation Cronos\r\nAustralia: Australian Federal Police\r\nCanada: Royal Canadian Mounted Police/ Gendarmerie royale du Canada\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates\r\nPage 2 of 3\n\nFrance: Gendarmerie - (Gendarmerie Nationale – Unité nationale cyber C3N); Court of Paris JUNALCO\r\n(National Jurisdiction against Organised Crime) Cybercrime Unit\r\nGermany: State Bureau of Criminal Investigation (Landeskriminalamt Kiel) and Federal Criminal Police\r\nOffice (Bundeskriminalamt)\r\nJapan: National Police Agency of Japan (警察庁)\r\nSpain: Spanish Civil Guard (Guardia Civil)\r\nSweden: Swedish Police Authority\r\nSwitzerland: Switzerland Fedpol – Zurich State Police\r\nNetherlands: National Police (Politie) Dienst Regionale Recherche Oost-Brabant\r\nRomania: National Police Central Cybercrime Unit\r\nUnited Kingdom: National Crime Agency, South West Regional Organised Crime Unit (South West\r\nROCU)\r\nUnited States: Federal Bureau of Investigation Newark\r\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affilia\r\ntes\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.europol.europa.eu/media-press/newsroom/news/lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates" ], "report_names": [ "lockbit-power-cut-four-new-arrests-and-financial-sanctions-against-affiliates" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434945, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d2fb2f7c849f8eef89e030f8890ee3bfb18799a.pdf", "text": "https://archive.orkl.eu/2d2fb2f7c849f8eef89e030f8890ee3bfb18799a.txt", "img": "https://archive.orkl.eu/2d2fb2f7c849f8eef89e030f8890ee3bfb18799a.jpg" } }