{ "id": "76b556ed-2e00-4489-86cd-94ee33a7fb00", "created_at": "2026-04-06T00:22:33.964752Z", "updated_at": "2026-04-10T13:12:12.379684Z", "deleted_at": null, "sha1_hash": "44697e9938e3c39d19b5de32805a57b06e09e32d", "title": "International investigation disrupts the world’s most harmful cyber crime group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2184301, "plain_text": "International investigation disrupts the world’s most harmful\r\ncyber crime group\r\nBy cms-user26\r\nArchived: 2026-04-05 21:49:50 UTC\r\nThe National Crime Agency is today, Tuesday 20 February, revealing details of an international disruption\r\ncampaign targeting LockBit, the world’s most harmful cyber crime group. \r\nToday, after infiltrating the group’s network, the NCA has taken control of LockBit’s services, compromising their\r\nentire criminal enterprise.\r\nLockBit have been in operation for four years and during that time, attacks utilising their ransomware were\r\nprolific. LockBit ransomware attacks targeted thousands of victims around the world, including in the UK, and\r\ncaused losses of billions of pounds, dollars and euros, both in ransom payments and in the costs of recovery. The\r\ngroup provided ransomware-as-a-service to a global network of hackers or ‘affiliates’, supplying them with the\r\ntools and infrastructure required to carry out attacks.\r\nWhen a victim’s network was infected by LockBit’s malicious software, their data was stolen and their systems\r\nencrypted. A ransom would be demanded in cryptocurrency for the victim to decrypt their files and prevent their\r\ndata from being published.\r\nThe NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build\r\nand carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted,\r\nhttps://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group\r\nPage 1 of 3\n\nand threatened to publish, data stolen from victims. Instead, this site will now host a series of information\r\nexposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.\r\nThe Agency has also obtained the LockBit platform’s source code and a vast amount of intelligence from their\r\nsystems about their activities and those who have worked with them and used their services to harm organisations\r\nthroughout the world. \r\nSome of the data on LockBit’s systems belonged to victims who had paid a ransom to the threat actors, evidencing\r\nthat even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have\r\npromised.\r\nThe NCA, working closely with the FBI, and supported by international partners from nine other countries, have\r\nbeen covertly investigating LockBit as part of a dedicated taskforce called Operation Cronos.\r\nLockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data.\r\nOver the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos\r\ntaskforce, and 28 servers belonging to LockBit affiliates have also been taken down.\r\nThe technical infiltration and disruption is only the beginning of a series of actions against LockBit and their\r\naffiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland\r\nand Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.\r\nThe US Department of Justice has announced that two defendants responsible for using LockBit to carry out\r\nransomware attacks have been criminally charged, are in custody, and will face trial in the US. \r\nThe US has also unsealed indictments against two further individuals, who are Russian nationals, for conspiring to\r\ncommit LockBit attacks. \r\nAs a result of our work, the NCA and international partners are in a position to assist LockBit victims. The Agency\r\nhas obtained over 1,000 decryption keys and will be contacting UK-based victims in the coming days and weeks\r\nto offer support and help them recover encrypted data.\r\nFBI and Europol will be supporting victims elsewhere.\r\nNational Crime Agency Director General, Graeme Biggar said: “This NCA-led investigation is a ground-breaking\r\ndisruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are,\r\nand no matter how advanced, is beyond the reach of the Agency and our partners.\r\n“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their\r\nsource code, and obtained keys that will help victims decrypt their systems.\r\n“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group\r\nthat depended on secrecy and anonymity.\r\n“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they\r\nare, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone\r\nassociated with them.”\r\nhttps://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group\r\nPage 2 of 3\n\nHome Secretary James Cleverly said: “The National Crime Agency’s world leading expertise has delivered a\r\nmajor blow to the people behind the most prolific ransomware strain in the world.  \r\n“The criminals running LockBit are sophisticated and highly organised, but they have not been able to escape the\r\narm of UK law enforcement and our international partners.  \r\n“The UK has severely disrupted their sinister ambitions and we will continue going after criminal groups who\r\ntarget our businesses and institutions.”  \r\nU.S. Attorney General Merrick B. Garland said: “For years, LockBit associates have deployed these kinds of\r\nattacks again and again across the United States and around the world. Today, U.S and U.K. law enforcement are\r\ntaking away the keys to their criminal operation.\r\n“And we are going a step further - we have also obtained keys from the seized LockBit infrastructure to help\r\nvictims decrypt their captured systems and regain access to their data. LockBit is not the first ransomware variant\r\nthe U.S. Justice Department and its international partners have dismantled. It will not be the last.”\r\nFBI Director Christopher A. Wray said: \"Today, the FBI and our partners have successfully disrupted the LockBit\r\ncriminal ecosystem, which represents one of the most prolific ransomware variants across the globe.\r\n\"Through years of innovative investigative work, the FBI and our partners have significantly degraded the\r\ncapabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure\r\nand other public and private organizations around the world. This operation demonstrates both our capability and\r\ncommitment to defend our nation's cybersecurity and national security from any malicious actor who seeks to\r\nimpact our way of life. We will continue to work with our domestic and international allies to identify, disrupt, and\r\ndeter cyber threats, and to hold the perpetrators accountable.\"\r\nThe NCA leads the UK law enforcement response to tackling cyber crime, disrupting offenders where possible by\r\nenabling criminal justice outcomes, and also through a broad range of other means including online disruption,\r\nsanctions, travel bans, and working with partners like NCSC to ensure technology is secure and safe by design.\r\nThe NCA’s National Cyber Crime Unit also works with a network of Regional Cyber Crime Units based in the\r\nnine Regional Organised Crime Units (ROCU) of England and Wales.  This operation developed from work by the\r\nSouth West ROCU, and continues to be supported by personnel there.\r\nPublic engagement is key to this response so it is vital that organisations report if they are the victim of a\r\nransomware attack. The earlier people report, the quicker the NCA and partners are able to assess new\r\nmethodologies and limit the damage they can do to others.\r\nIf you are in the UK, you should use the Government’s Cyber Incident Signposting Site as soon as possible for\r\ndirection on which agencies to report your incident to.\r\n20 February 2024\r\nSource: https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group\r\nhttps://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group" ], "report_names": [ "nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group" ], "threat_actors": [ { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434953, "ts_updated_at": 1775826732, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44697e9938e3c39d19b5de32805a57b06e09e32d.pdf", "text": "https://archive.orkl.eu/44697e9938e3c39d19b5de32805a57b06e09e32d.txt", "img": "https://archive.orkl.eu/44697e9938e3c39d19b5de32805a57b06e09e32d.jpg" } }