February 21, 2024

U.S. and UK enforcement lock in on LockBit

On February 20, 2024, the United States sanctioned two individuals associated with LockBit Ransomware Group, a cybercriminal organization based in Russia.  The action, taken by the U.S. Department of the Treasury’s Office of Foreign Assets Control in cooperation with the U.S. Department of Justice, the Federal Bureau of Investigation, and international partners in ten countries, follows the designation of other Russian cybercriminals in recent months.

According to OFAC, LockBit uses a double extortion tactic, first exfiltrating data from victims and then encrypting the victims’ computer systems and demanding ransom in the form of cryptocurrency for return of the data and unlocking of the encrypted systems.  OFAC has attributed to LockBit a November 2023 attack against the U.S. broker dealer of a large commercial bank.

Ivan Kondratiev and Artur Sungatov, both Russian nationals, were designated pursuant to Executive Order 13694, as amended by Executive Order 13757, for engaging in cyber-enabled activities that may threaten national security, foreign policy, or the economic health or financial stability of the United States.

As a result of these designations by OFAC, all property and interests in property of the designated persons within the United States or within the possession or control of a U.S. person are blocked, and U.S. persons are generally prohibited from engaging in transactions involving a designated person.  Entities owned 50 percent or more by one or more blocked persons are also blocked.

Simultaneous with the designations, indictments were unsealed against Kondratiev and Sungatov in the U.S. District Courts for the District of New Jersey and the Northern District of California, charging the men with deploying LockBit ransomware against numerous victims.  Warrants were also issued for the search of servers used by LockBit in connection with its ransomware projects.

On the same day as the designations and indictments were announced in the United States, the UK National Crime Agency revealed details of its infiltration of LockBit’s network.  According to the NCA, the agency took control of LockBit’s primary administration environment, obtained the LockBit platform’s source code, and gathered intelligence about the group’s activities and affiliates.  The NCA plans to use the decryption keys it has obtained to help victims recover their data.

Press release (Treasury) | Press release (NCA) | Indictment | Press release (DOJ)