On February 20, 2024, the National Crime Agency (NCA) of Britain and the Federal Bureau of Investigation (FBI) announced the successful disruption of the Lockbit ransomware gang, marking a significant milestone in the fight against cybercrime. This operation, known as Operation Cronos, was a collaborative effort involving law enforcement agencies from the UK, the US, and several other countries, with support from private sector partners.
The campaign against Lockbit involved the seizure of the group’s infrastructure (including their leak site), 34 servers, the closure of 14,000 rogue accounts, and the freezing of 200 cryptocurrency accounts, and 5 indictments against members of the group. Additionally, law enforcement agencies managed to arrest two individuals associated with Lockbit in Poland and Ukraine, further crippling the group’s operations.
By seizing Lockbit’s decryption keys, law enforcement agencies have enabled the development of new decryption tools to assist victims in recovering their encrypted files.
Recommendations
Access Free Decryption Tools
Victims of LockBit ransomware may access the free decryption tools made available by the cooperation with law enforcement. Instructions for recovery will vary depending on the country of origin.
If your organization requires assistance decrypting a past LockBit incident or responding to an active ransomware attack, please fill out the this web form to initiate a case with Arctic Wolf Incident Response.
| Country | Supporting Organization | Instruction |
| US | FBI | Reach out to the FBI to obtain keys through the following website: https://lockbitvictims.ic3.gov/ |
| UK | NCA | Reach out to the NCA to obtain keys through this email: lockbit@nca.gov.uk |
| All other countries | Europol, Polite (NL) | Follow the instructions for Lockbit 3.0 decryption on the following site: https://www.nomoreransom.org/en/decryption-tools.html#Lockbit30 |
References
See other important security bulletins from Arctic Wolf.
