FULTON COUNTY, Ga. — Law enforcement took over the website of a group that claimed to have been holding sensitive information from Fulton County hostage for $1.2 billion.
The National Crime Agency UK said on Monday that LockBit 3.0's services have been disrupted as a result of international law enforcement action. It is an ongoing and developing operation to take down a group that claimed
Brett Callow, who is a threat analyst for Emsisoft, pointed out that while this isn't the first time a ransomware operation has been disrupted, he said, "It is probably the most significant disruption to date."
But who is this group, and how do ransomware gangs gain access to victims' information?
LockBit is known as one of the world's most prolific ransomware gangs, but it's currently unclear what kind of implications the site's disruption will have throughout the ransomware ecosystem.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), LockBit has operated as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure.
"They (LockBit) create ransomware, and other people use it to carry out the attacks, and they both split the money between them. LockBit takes 20% of the profits and the person who carried out the attack, known as the affiliates, they keep 80%," Callow explained.
CISA said in a cybersecurity advisory put out in 2023, which was labeled, 'Understanding Ransomware Threat Actors; LockBit, ' it reported the ransomware gang first popped up in the U.S. in 2020.
The report stated between 2020, and when the report was published, LockBit was behind more than 1,700 attacks across the U.S. and was paid more than $90 million in ransom.
"It is a massive problem," Callow said.
He added operations like this one that took down LockBit send a very clear message to other ransomware gangs.
"Ransomware operators for a very long time have operated with almost complete impunity. That is starting to change. Law enforcement is getting better at disrupting them and getting better at arresting them. People who are involved in ransomware are not as safe as they used to be," Callow explained.
Last week LockBit claimed responsibility for the ransomware attack on Fulton County, which crippled many key services.
This past Friday was the deadline the ransomware gang set -- either they would be paid, or they would release the stolen information. 11Alive has followed up with county officials to find out if a ransom was paid or if security issues have been fixed.
As of Monday, more services within Fulton County that were knocked offline appear to be coming back online.
But of course, Fulton County would just be one victim of this ransomware gang.
"They (LockBit) attack multiple organizations every week. Fulton County is simply one of many," Callow said. "They attack organizations across all sectors, governments, education and healthcare."
Callow said these ransomware gangs are not only growing in numbers but also getting more aggressive. He stated that five years ago, the average ransom was about $5,000, as mainly small businesses were affected.
But now, the average ransom has gone up to over $1 million -- making an almost 30,000% increase within a few years, he said.
"So these people are more motivated than ever. They invest more in their operations than ever because they have more to invest, and their attacks have become increasingly problematic., Callow explained. "A few years ago, they mainly had small businesses. Now they're taking down entire healthcare systems and attacks that affect multiple hospitals."
Callow said while every attack is different, he did give some insight into how the ransomware gangs gain access to their victims' cyberinfrastructure.
"The majority of attacks happened because of fairly basic security failings. If organizations really get the basics right, they can significantly reduce the likelihood that they'll be the next victim," he said.
A news conference is scheduled for Tuesday morning in London by the National Crime Agency, where 11Alive is expecting to learn more about this international operation that took down LockBit.
"What we don't know so far is exactly what's happened. We know that law enforcement has seized the websites, which means probably that they have obtained access to these servers, which host the websites, whether or not they did that remotely by hacking the infrastructure or whether they actually kicked on someone's door and has made some arrests. We don't know," Callow explained.
It is also unknown what kind of information law enforcement has obtained when disrupting the group's services. 11Alive will provide more information about this incident and the operation when it is received.