Jean-Philippe Lecouffe, Deputy Executive Director of Operations at Europol, discusses the international police operation carried out against LockBit, which specializes in ransomware attacks.
Published
Reading time: 4 min
An international police operation to “hack hackers” helped neutralize the LockBit cybercriminal group. This group specialized in ransomware attacks had carried out more than 200 actions in France, notably against the hospitals of Corbeil-Essonnes and Versailles. The group, and the ransomware of the same name, LockBit 3.0, ransomed more than 2,000 victims around the world and obtained more than 120 million dollars (110 million euros) in loot before being in turn targeted by a international police operation, unveiled Tuesday February 20 by the British National Crime Agency (NCA) in collaboration with the American FBI and the European police agency Europol. Jean-Philippe Lecouffe, deputy executive director of operations of the European agency, returns to franceinfo on Operation Cronos.
franceinfo: How is the operation against LockBit revealed today extraordinary?
Jean-Philippe Lecouffe: Firstly because the target is the biggest ransomware in the world. It is estimated to represent a quarter of this criminal market. It’s called a criminal service, anyone can come and connect. It provides extremely “efficient” services for those who want to carry out a ransomware attack. So it was important that we could attack him. He did a lot of damage in France. The website of the Ministry of Justice had been attacked, which also triggered the referral to the Center for the Fight against Digital Crime (C3N) of the gendarmerie which is a bit of a start of this cooperation, first European, then extended very quickly to our British and American colleagues.
How big is the blow to this organization today? Because we understand well, it is not completely dismantled.
We still have a lot of work to do. But all the technical infrastructure that made it possible to carry out the attacks is now in the hands of law enforcement. Controlled by law enforcement, in particular our British colleagues at the National Crime Agency. Therefore, all the infrastructure that had been put in place can no longer be used by criminals, since we are the ones who have control over it. It’s really major. From there, we also collect a lot of information which will allow us to question each other.
You get your hands on accounts with money, cryptocurrencies. Does this mean that some of the victims who paid ransoms will be able to get their money back?
More than 200 cryptocurrency accounts have been frozen for the moment. Then you have to make the connections. What we are trying to do is first to seize the money, since it is criminal money. We will then see what justice decides to do with it.
This operation also led to arrests around the world?
Yes, there have been arrests in the United States. There are two arrests that took place this very morning [mardi 20 février]on arrest warrants from French magistrates, in Poland and Ukraine, with the support of French gendarmes who were sent there and the support of Europol, the European police agency that I represent.
You have also collected a lot of data from the servers you now have control over. Data from victims but also from criminals?
Most of the data will, we hope, allow us to identify so-called affiliates. This platform offers a ransom service, so the data collected tells us about the platform itself, who maintains it, and who connects to it to collect ransoms and then carry out attacks. We then need to look in detail. Our main objective is to identify these affiliates who have committed attacks using LockBit services.
Did the people you arrested run this system? Have you decapitated this organization?
Yes, we can say that we decapitated this organization, but above all, what is important in this environment, we destroyed its credibility. Because in fact, these are organizations that like to brag about their ability to defeat law enforcement and create trust so that criminals come to this platform rather than others. Today, we have taken control of the infrastructure of this organization and a message announces it as soon as one of the affiliates tries to connect.
So today you are sending a message directly to these people. Even those who were not arrested?
It’s exactly that. We are telling them: you were an affiliate of this platform, LockBit. Look carefully over your shoulder because we’re behind you and we’re coming for you soon.