The UK has led an operation to disrupt what is believed to be the world's largest criminal ransomware group.
The National Crime Agency (NCA) hacked into Lockbit's system and stole its data.
The organization is believed to be based in Russia and, by volume, is the largest ransomware group selling services to other criminals.
On Monday evening, a message appeared on LockBeat's website, saying it was "now under the control of law enforcement".
The operation is being billed as one of the most significant disruptions in the cyber-criminal world. The FBI, Europol and other countries were also involved in the long-running operation, but this was the first of its kind led by the UK.
Criminals use Lockbit to hack into the computers of companies and organizations and lock users out until a ransom is paid. They often steal data and threaten to release it.
The team debuted in 2019 and has established itself as a dominant player. Some estimates suggest that it occupies around 20-25% of the ransomware market.
Lockbit's high-profile reported targets include Royal Mail, which it hit in January 2023, disrupting international deliveries. Last November, the Industrial and Commercial Bank of China (ICBC) hit the financial world with a major impact. Suppliers to the NHS, law firm Allen & Overy and aerospace company Boeing are said to have been affected, among others.
The operation has been undercover for some time with law enforcement gathering information before moving to a more public phase Monday evening.
NCA's technical experts were able to get inside Lockbit's own system and take control. By doing so, they were able to steal a large amount of their own data about the activities of the criminal group.
Since many companies don't admit they've been hacked and sometimes pay a ransom, this information can provide a unique insight into the true scale of the group's work.
As they moved into more open phases of operations, law enforcement went public about their intrusions.
They took control of the site on the dark web, where Lockbit promotes its activities, and replaced it with the symbols of various law enforcement agencies and a message: "The site is under the control of the UK's National Crime Agency, working in close cooperation with the FBI and the International Law Enforcement Task Force, 'Operation Crones'."
At a press conference on Tuesday morning, the head of the NCA, Graeme Bigger, said they assessed that the group was responsible for 25% of ransomware attacks in the past year.
He suggested that the incidents had caused losses totaling crores of rupees. He said there were thousands of victims worldwide, including 200 known in the UK - although he added there could in fact be many more.
These collaborators are paid to be able to conduct hacking operations and receive both malicious software and advice.
But after the law enforcement action, affiliates who tried to log into the site were greeted with another message saying that Lockbit's internal data was now in the hands of law enforcement, including details of victims, amount of money stolen "and much, much more." More". The message adds: "We may contact you shortly."
There have been so-called "take-downs" in the past, but in many cases criminal groups re-emerged only after their online activities were disrupted by law enforcement, limiting the long-term impact.
But in this case, those behind the operation hope to have a more significant impact by undermining the group's credibility and attacking its reputation. The group relies heavily on branding. It even paid people to tattoo the Lockbeat brand on their bodies.
The aim is to sow distrust by making affiliates perceive that law enforcement now has their details and create a rift between them and those who run LockBeat trusting other criminals that law enforcement sees as a risk of working with them in the future.
Those directly involved in the operation say they believe the UK will be significantly safer from cyber-attacks in the short to medium term and describe the move as a 'step change' in the response to cyber-crime.
'Wholly Owned' - 'One of the most consequential disruptions ever undertaken'
Ciaran Martin, former head of the UK's National Cyber Security, said: "On the face of it, this is one of the most consequential strikes against one of the ransomware giants and certainly the biggest ever led by the British police." The Center told the BBC."There are few bigger players in ransomware than Lockbit, and NCA seems to completely 'own' them, as we say in cyber security", he added.
Those behind the LockBeat group are believed to be based in Russia which means, like other similar groups, they are beyond the reach of law enforcement to arrest. That means disruption is often the only realistic option for undermining their operations as well as improving cyber-defenses.
A similar operation last year by the FBI against a group called BlackCat led to a spat between the group and US law enforcement over control of the site, a sign that these operations don't always go as planned.
But it is hoped that this operation, along with the public disclosure of Lockbit's activities, will disrupt them enough to prevent a swift return.
