(Credit: Getty Images)
The US Department of Justice (DOJ) has charged two Russian nationals for allegedly using Lockbit's ransomware-as-a-service tool "Stealbit" to attack US residents, the government agency announced Tuesday.
"Today’s indictment, unsealed as part of a global coordinated action against the most active ransomware group in the world, brings to five the total number of Lockbit members charged by my office and our FBI and Computer Crime and Intellectual Property Section partners for their crimes," said US Attorney Philip R. Sellinger for the District of New Jersey in a statement.
"Our investigation will continue, and we remain as determined as ever to identify and charge all of Lockbit’s membership—from its developers and administrators to its affiliates. We will put a spotlight on them as wanted criminals. They will no longer hide in the shadows," Sellinger added.
The DOJ's charges are part of a broader takeover of Lockbit's illicit services. The UK's National Crime Agency (NCA), the US Federal Bureau of Investigations (FBI), the DOJ, and a host of other law enforcement groups have seized the notorious ransomware group's site on the dark web, obtaining the group's source code and other data, the NCA said in a statement.
"We have hacked the hackers," said NCA Director General Graeme Biggar.
EU enforcement agency Europol has also arrested two unnamed Lockbit affiliates in Poland and Ukraine as part of the shutdown. Europol calls Lockbit's tools "the world's most harmful ransomware."
Lockbit previously offered its ransomware to a range of affiliates, but it's unclear to what extent those illicit services have now been disrupted. The DOJ shared that the FBI has shut down numerous servers connected to Stealbit, and the NCA reported that 28 Lockbit-affiliated servers have been dismantled in total.
Law enforcement agencies have found over 1,000 decryption keys and will be giving them to current Lockbit victims.
More than 200 cryptocurrency wallets connected to Lockbit attackers have also been frozen, according to the NCA and Europol.
VX Underground, a group that claims to collect and share malware source code samples, posted a purported screenshot of a message from law enforcement that now appears when Lockbit affiliates attempt to access their ransomware tools.
VX Underground also reported that the Lockbit group posted a message in Russian on encrypted messaging platform Tox claiming that the FBI "fucked up" its PHP servers, but that its backup servers "are not touched."
Reached for comment regarding whether Lockbit has any "untouched" servers, the NCA told PCMag via email: "Lockbit's systems have been compromised."
Lockbit members have claimed responsibility for or has been reportedly connected to attacks on a range of different entities, from Subway to Boeing, a SpaceX supplier, and even a dental insurance firm.
Editors' Note: This story has been updated to include additional comment from the NCA.