Law enforcement agencies from 12 countries have arrested four suspects connected to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals involved in LockBit activities.
This coordinated effort also resulted in the seizure of LockBit infrastructure servers and included officers from Operation Cronos, a task force led by the U.K.’s National Crime Agency (NCA) as part of a global crackdown that began in April 2022.
Europol reports that in August 2024, French authorities requested the arrest of a suspected LockBit ransomware developer while he was on holiday outside Russia. During the same month, the NCA detained two additional suspects believed to be linked to LockBit, one connected to a LockBit affiliate and another under suspicion of money laundering.
In a separate action, Spain’s Guardia Civil arrested a bulletproof hosting administrator at Madrid airport, whose service had shielded LockBit’s infrastructure.
Today, Australia, the U.K., and the U.S. announced sanctions against a suspected LockBit affiliate, who the NCA believes is also tied to the cybercriminal group Evil Corp. The U.K. imposed sanctions on 15 more Russian nationals involved with Evil Corp, while the U.S. sanctioned six individuals, and Australia targeted two.
“These actions follow the significant disruption of LockBit’s infrastructure in February 2024, along with a series of sanctions and operations against LockBit administrators in May and the months that followed,” Europol stated.
Additional LockBit arrests and charges
LockBit, which first surfaced in September 2019, has since been linked to numerous attacks on high-profile organizations globally, including Bank of America, Boeing, Continental, the Italian Internal Revenue Service, and the UK Royal Mail.
In February 2024, Operation Cronos dismantled LockBit’s infrastructure, seizing 34 servers and retrieving over 2,500 decryption keys, which were later used to develop a free LockBit 3.0 Black Ransomware decryptor.
The U.S. Department of Justice and the UK’s National Crime Agency (NCA) estimate that the gang has extorted up to $1 billion through at least 7,000 attacks between June 2022 and February 2024.
Previous arrests of individuals connected to LockBit include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) in May 2024.
In July, Russian nationals Ruslan Magomedovich Astamirov and Canadian/Russian national Mikhail Vasiliev also confessed to involvement in at least a dozen ransomware attacks as LockBit affiliates. Astamirov was arrested in Arizona in June 2023 for deploying LockBit ransomware, while Vasiliev, extradited to the U.S. in June, has already been sentenced to four years in federal prison.
Source: BleepingComputer, Sergiu Gatlan