It is one of the most active ransomware groups in the world.
Spotted in 2019 for the first time, the Russian-speaking hacker group Lockbit reportedly collected around $91 million in ransoms in total.
Its main site was dismantled by law enforcement on February 19 during Operation Cronos, an offensive led by 11 countries, including France.
“This site is now under law enforcement control
,” says a message on the home page, specifying that the British Organized Crime Agency (NCA) has taken control, in cooperation with Europol , the American FBI and agencies from several countries, including the National Cyber Unit of the National Gendarmerie.
To discover
PODCAST - Listen to the latest episode of our Tech Questions series
It was on this site in particular that the hackers displayed the names of the victims, revealed the amount of the ransoms and published the stolen data.
In France, the group had notably targeted the Corbeil-Essonnes hospital in 2022, demanding 1 million dollars not to publish its sensitive information.
Among the other victims: La Poste Mobile, the Loiret department or a branch of the Thalès group, making him a head to be killed.
The “most active and most destructive” group
The hacker group specializes in “ransomware”
attacks
.
It infiltrates the system, encrypts and blocks data in order to demand a ransom for not disclosing it.
If the victim does not pay the required amount, all of the files are put online or resold.
In November 2022, the US Department of Justice called LockBit ransomware “the
most active and destructive variant in the world”
.
In France, the group was at the origin of 27% of ransom demands in 2022 and 2023 and the National Information Systems Security Agency (Anssi) processed 69 hacks attributed to it.
Read alsoCybersecurity: record year for ransomware, haunting global companies
These hackers are used to targeting critical infrastructure and large industrial groups, with ransom demands ranging from 5 to 70 million euros.
Abroad, Lockbit has notably targeted in 2023 the Royal Mail (the British post office), the German automobile supplier Continental, the California administration and the American sandwich chain, Subway.
Other sites remain active
Be careful,
however, not to declare victory too quickly :
on
Note that even if their main site is offline, LockBit's ransomware operations may continue and other subsidiary sites remain accessible.
Also read Dark Web, encrypted networks and ransomware: diving into the dark world of cybercriminal trackers
Many hacker groups have been supposedly
“dismantled”
in recent years and have quickly reemerged.
When one head is cut off, others grow back just as quickly.
Especially since some of these pirates often reside in Russia and therefore remain safe from the police forces who are looking for them.
Others are
“affiliated”
, independent hackers who use Lockbit’s software by paying them a percentage of the ransoms obtained.
They are therefore more difficult to identify.
The media exposure, the sting operations and the notoriety that LockBit enjoys today in the world of cybercrime have
“transformed it into a real crime enterprise, with its administrators, hackers who rent the software, services negotiation and communication"
, like other groups, as detailed by the specialized media Numerama.
In a joint memo, the cybercrime agencies noted that LockBit was responsible for 16% to 27% of ransom demands depending on the country.