At the start of 2024, it was announced that the UK’s National Crime Agency (NCA had disrupted the services of the ransomware group LockBit.

A group responsible for 25% of ransomware attacks across 2023-2024, the LockBit group were in operation for four years and targeted thousands of victims around the world, and caused losses of billions; both in ransom payments and in the costs of recovery.

In its statement, the NCA declared that is had taken control of LockBit’s primary administration environment, “which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims.”

First Steps of the Operation

This week at 44CON in London, Will Lyne, head of cyber intelligence at the NCA talked about being behind the operation, and in particular, admitting the first reaction was “what are we going to do” when there was total access to the “treasure trove” and “unparalleled access to the inner workings” of the this cybercrime operation.

Lyne was told initially the NCA ‘had access to some data’ and then found out there wa access to all the data and when doing technical disruptions, and going after the infrastructure, you have to try to do something a little bit different. “So we wanted to go against the threat actors” he said, wondering how could they undermine trust and confidence among the operators and users, and the platform. “We decided to use their tactics and use their infrastructure against them,” he said.

Time to Pay Attention

In particular, the LockBit operators introduced timers for victims to pay, so the NCA used a timer to control the infrastructure, which lasted a week. Over time, it added press releases, details of takedowns and disruptions, and a decryption key, and added attribution to its administrator ‘LockBitSupp’. 

Lyne said there is also data relating to the other about 200 LockBit affiliates as well as the database and negotiation tools and tactics, and all of the wallets where the money went.

So what happened next? Lyne explained that once it took control of the infrastructure and put these details up, affiliates were trying to login and were greeted with a message to LockBitSupp and “all of his friends” but the NCA and its international partners had taken over the infrastructure - “you'll be hearing from us very soon, have a nice day!”

Lyne said that there is more to come on this, and “that was just the start of the operation” of the treasure code of data in a way we've never had before.

What Success?

The question is whether this works, and how do you measure the cost and risk and understand how someone is feeling. “For us as a law enforcement organisation that traditionally arrests people, this is really different and in particular, the threat posed by LockBit has decreased significantly. 

However Lyne said the measurement factor was important, especially understanding whether it worked or not, and what the learning points are - especially with a history of doing takedowns at the NCA - and understanding if this is a win or not. 

Taking a step back, Lyne said he believes there has been a fragmentation of the cybercrime ecosystem, but there is more ransomware groups than ever now, as well as a range of sophistication. He said this has led to division and some ransomware operators undermining others, and a move from Russia speakers to group based around the world.

What is interesting here is that the NCA were suddenly in the possession of the keys to a very powerful vehicle, and had to make a decision on what to do with it: park it and let it die? Push messages out with a decryption key? Make sure everyone knew that there was a new boss in charge? The final point seems to be the most appropriate here, but it’s something to consider. 

The other key point is measuring the success of this management of LockBit: do you learn anything new that you didn’t before? What can you do differently now that you could not before? 

The operation to run LockBit is apparently a successful one, and the NCA is to be commended on this work to push information out and support infected users. As Lyne said though, there is “more to come” and we will have to wait to find out what other jewels are in the treasure trove.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.