InfoSec / Cyber

Masked hacker at a computer with his finger to his lips.  A red closed stamp across the picture

Major cyber-criminal gang Lockbit brought down by UK Law Enforcement

The NCA (National Crime Agency) has infiltrated systems belonging to LockBit - the UK has led an operation to disrupt what is thought to be the world's largest criminal ransomware group.  For the last four years, the LockBit group has been hacking into thousands of businesses, schools and medical facilities around the world.
The cyber criminals are thought to be linked to Russia.  In August last year they attempted to extort a school in Leeds for information about the children, particularly about special educational needs. LockBit functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure, with the main gang taking a cut of the affiliates’ earnings.

On Monday evening, a message appeared on LockBit's website, saying it was "now under control of law enforcement".

The NCA's technical experts had been able to get inside of LockBit's own systems and take control. In doing so, they were able to steal a large amount of the criminal group's own data about its activities.

Since many companies do not admit they have been hacked and sometimes pay a ransom, this data may well provide a unique insight into the true scale of the group's work as well.

Source of information: BBC News: LockBit: UK leads disruption of major cyber-criminal gang


Further information reported by Computing says that the United States Department of Justice unsealed indictments against two alleged members of the LockBit ransomware group, as part of a broader global operation aimed at dismantling the criminal enterprise.  The number of LockBit members currently charged is five.  Details about the crimes and charges can be read: Computing: US Charges Russian Nationals

Disruption to the LockBit operation is significantly greater than first revealed.  As well as taking control of the LockBit website, Lockbit's primary administration environment, the NCS has also seized the infrastructure that allowed it to manage and deploy the technology that it used to extort businesses and individuals around the world:
The Guardian: Seized ransomware network LockBit rewired to expose hackers to the world


What to do in the event of a Cyber Attack 

Tell someone!  Report to IT. Report to SLT.

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off. Isolate the infected device and pass to IT 

If you are a victim of a ransomware attack we would recommend reporting this to:
Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss or your local police and ask for the cyber crime team or phone 101 and ask for the cyber crime team.

Most cyber crimes like these will also need to be reported to the ICO by your data protection officer. Our customers should email This email address is being protected from spambots. You need JavaScript enabled to view it..

These incidents should also be reported to the DfE sector cyber team at This email address is being protected from spambots. You need JavaScript enabled to view it..

Academy trusts have to report these attacks to ESFA.

Where the incident causes long term school closure, the closure of more than 1 school or serious financial damage, you should also inform the National Cyber Security Centre.

Always ensure there are backups you can restore from.  Preserving evidence is as important as recovering from the crime.

Forward suspicious emails to This email address is being protected from spambots. You need JavaScript enabled to view it.. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).

Little Guide to ACTION FRAUD

Search