Charlie Neibergall/AP
An FBI seal is visible on a wall in Omaha, Nebraska.
CNN –
The FBI and its international allies have seized a dark web site that the world's most prolific ransomware gang used to extort its victims, according to a report on the site seen by CNN.
It's a blow to the short-term operations of a multinational ransomware gang called LockBit, which poses a threat to organizations around the world, including healthcare providers in the United States. The hackers claimed responsibility for a ransomware attack in November that forced New Jersey-based Capital Health to cancel some patient appointments.
LockBit also claimed responsibility for ransomware attacks on the Industrial and Commercial Bank of China and Fulton County, Georgia in recent months.
“We can confirm that Lockbit's services have been disrupted due to actions by international law enforcement authorities – this is an ongoing and evolving operation,” said a message posted on the hackers' website on Monday, along with FBI seals , UK National Crime Agency (NCA) and a host of other law enforcement agencies from Australia to Germany.
An NCA spokesperson confirmed to CNN that a law enforcement operation against LockBit was underway, adding that the agency would publicly release further details on Tuesday.
An FBI spokesman told CNN: “There will be a formal announcement and more details to follow.”
The seizure of a ransomware group's dark website forces cybercriminals to set up new computing infrastructure to extort victims. It may also signal deeper law enforcement access to hackers' networks. In another operation against a ransomware gang announced a year ago, the FBI said it had access to decryption software that saved victims about $130 million in ransom payments.
Analysts believe LockBit has members or criminal partners in Eastern Europe, Russia and China. Like other well-funded ransomware groups, LockBit rents its ransomware to “partners” who use the malicious code in attacks and then collects a portion of the ransom paid by victims.
LockBit accounts for a quarter of the ransomware market, according to Don Smith, vice president of threat research, based on victim information the hackers posted online at cybersecurity company Secureworks.
This operation is the latest step in a multi-year battle between the FBI and its allies around the world and ransomware gangs often based in Eastern Europe and Russia.
Despite notable arrests and seizures of millions of dollars in ransom payments by law enforcement, the ransomware economy continues to thrive.
Last year, cybercriminals extorted a record $1.1 billion in ransom payments from victim organizations around the world, despite attempts by the U.S. government to disrupt their money flows, according to an estimate by crypto tracking firm Chainalysis.
“It is highly unlikely that core members of the LockBit group will be arrested as part of this operation as they are based in Russia,” Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, told CNN.
Nonetheless, law enforcement's seizure of the LockBit website represents a “significant, albeit short-term, impact on the ransomware ecosystem and a slowdown in attacks,” Liska said.
“LockBit has also developed a reputation as one of the most ruthless ransomware operators, encouraging its partners to target hospitals and schools,” he added. “My hope is that these sectors get some breathing room to build up their defenses.”