LockBit registered nearly 200 "affiliates" over the past two years
New details about LockBit operations are emerging
More information about the business operations of the LockBit ransomware gang have emerged, a day after the UK National Crime Agency (NCA) and partners were able to apparently disrupt the group and deface its leak site.
According to The Register, the NCA found 187 groups and individuals registered inside the LockBit affiliate portal. LockBit operated on a Ransomware-as-a-Service (RaaS) model, in which various groups signed up and used the encryptor and the infrastructure, in exchange for a cut of the profits (the ransom payment, essentially).
The law enforcement says the affiliates registered between January 31, 2022, and February 5, 2024.
"Have a nice day"
"Hello [user name], Law Enforcement has taken control of LockBit's platform and obtained all the information held on there. This information relates to the LockBit group and you, their affiliate,” the NCA said in a message left on the affiliate portal, following defacement. “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation… we may be in touch with you very soon.”
“If you would like to contact us directly, please get in touch. Have a nice day.”
LockBit is a Russia-based ransomware group that was considered one of the biggest threats - if not the biggest threat - in the ransomware industry. Given the location, arrests are highly unlikely, but the NCA, together with the FBI and a host of other law enforcement agencies, managed to infiltrate LockBit’s infrastructure and take it down. Whether or not LockBit returns in one form or another remains to be seen. However, with law enforcement turning their attention towards the affiliates, it’s possible that the ransomware industry will change forever.
"A large amount of data has been exfiltrated from LockBit's platform before it was all corrupted," a notice now stands on the LockBit website. "With this data, the NCA and partners will be coordinating further enquiries to identify the hackers who pay to be a LockBit affiliate. Some basic details published here for the first time."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Ciaran Martin, the former head of the UK's National Cyber Security Centre told the BBC that this was “one of the most consequential disruptions ever undertaken” against a ransomware operator. “Certainly by far the biggest ever led by British police.”
More from TechRadar Pro
- ConnectWise remote access tool hacked — security pros are saying it is bad, so patch now
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.