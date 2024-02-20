Lockbit's website has been replaced with a notice that says it is now 'under the control of law enforcement'

A Russia-linked cyber gang responsible for hacking Royal Mail has been locked out of its own website after a cyber raid led by Britain’s National Crime Agency (NCA) and the FBI.

LockBit’s website was taken down late on Monday night and replaced with a notice that said it is now “under the control of law enforcement”.

Anyone trying to log into LockBit’s website is now met with the message: “We may be in touch with you very soon. Have a nice day.”

Police investigators claimed to have broken into the gang’s IT systems, frozen 200 cryptocurrency accounts linked to the group and made multiple arrests.

The crackdown was a joint operation between the FBI, NCA and Europol to disrupt a hacking group that has targeted major businesses and extorted hundreds of millions of dollars in recent years.

It comes more than a year after LockBit, a criminal gang with ties to Russia, hacked Royal Mail and knocked out its international delivery service for weeks.

A Lockbit attack on Royal Mail disrupted deliveries in January 2023

American prosecutors said LockBit had extorted a total of $120m from ransom victims in the US alone.

Graeme Biggar, director general of the NCA, said: “As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”

Law enforcement officials from Europol arrested two individuals believed to be members of LockBit in Poland and Ukraine.

US authorities have charged five Russians in relation to LockBit. Two of the suspects charged by the US are in custody: Mikhail Vasiliev, who is being held in Canada awaiting extradition, and Ruslan Magomedovich Astamirov, who is in the US.

The remaining three, Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev, are at large.

Mr Biggar said that while a large number of the cyber criminals were based in Russia, the agencies had not seen evidence of state sponsored support. However, he said authorities there appeared to be turning a blind eye to the hacking gang.

Mr Biggar said: “There’s clearly some tolerance of cyber criminality within Russia.

Story continues

“We have not seen the Russian authorities crack down and arrest the cyber criminals we know operate in their jurisdiction, so we can read into that they tolerate that activity.”

Hundreds of people are thought to have been involved in running the group.

Home Secretary James Cleverly says the NCA has delivered a ‘major blow’ to ransomware criminals - Jonathan Brady/PA

The NCA said they had identified a hierarchy within the organisation, but would not comment on the extent to which it had targeted those individuals.

James Cleverly, the Home Secretary, said: “The National Crime Agency’s world leading expertise has delivered a major blow to the people behind the most prolific ransomware strain in the world.”

The NCA said the infrastructure supporting LockBit’s tool that was used to steal data, known as StealBit, based in three countries, has also been seized.

US officials said they had seized control of key servers used by LockBit.

On the gang’s former dark web page, a post signed by police said: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, Operation Cronus.”

The new web page carried the logos of the FBI, NCA, Europol and multiple European police agencies, as well as forces from Australia, Japan and Canada.

Deputy US attorney general Lisa Monaco said in a statement: “Using all our authorities and working alongside partners in the United Kingdom and around the world, we have now destroyed the online backbone of the LockBit group, one of the world’s most prolific ransomware gangs.”

However, an alleged spokesman for the group posted on an encrypted messaging forum that its backup servers remain operational.

LockBit, which emerged in 2020, uses ransomware to scramble a victims’ IT systems and steal data before demanding a payment for its release. It also sells its hacking tools to other gangs.

The group attempted to extort £66m in cryptocurrency from Royal Mail during an attack in January 2023.

The postal giant refused to pay but the incident ended up costing the business £10m as a result of repairs and upgrades to its IT system.

Aerospace company Boeing is among those targeted by LockBit’s ransomware - PETER CZIBORRA/REUTERS

LockBit leaked files it had stolen from Royal Mail. However, most were innocuous and did not contain any sensitive or customer information.

In addition to Royal Mail, LockBit’s ransomware has been used to target Taiwanese semiconductor manufacturing giant TSMC and aerospace company Boeing.

The group was also responsible for hacking the Industrial and Commercial Bank of China, which is one of the world’s largest lenders.

Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.

He said: “LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.

“That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.

“Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.”

The gang behind the software used marketing tactics including paying $1,000 to customers who had the logo tattooed on themselves and promising to pay anyone who spotted errors in their code.