Episode 122 of the Public Key podcast is here. Ever wonder what goes into taking down the world’s biggest ransomware group? In this episode we speak to Phil Larratt (Director of Investigations, Chainalysis) and William Lyne (Head of Cyber Intelligence, National Crime Agency (NCA) who share how UK law enforcement, along with their international partners were able to infiltrate and eventually shutdown the most prolific ransomware ecosystem, LockBit, and what happened after the takedown.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 122.
Public Key Episode 122: How the UK Took Down LockBit, the World’s Biggest Ransomware Group
Ever wonder what goes into taking down the world’s biggest ransomware group. Well, in this episode Ian Andrews (CMO, Chainalysis) speaks to Phil Larratt (Director of Investigations, Chainalysis) and William Lyne (Head of Cyber Intelligence, National Crime Agency (NCA), who share how UK law enforcement, along with their international partners, were able to infiltrate and eventually shutdown the most prolific ransomware ecosystem, LockBit.
The trio discuss LockBit, the major ransomware-as-a-service threat and provide a detailed account of Operation Cronos, a sophisticated takedown that compromised LockBit’s system and eventually led to the takedown of their operations
Phil and William explain the intricacies of crypto tracing, international law enforcement collaboration, and the innovative tactics used to protect victims and hinder cybercrimes, like ransomware.
This is one of the few episodes that provides a riveting inside look at one of the most significant crypto ransomware operations to date and the ripple effects on the larger cybercrime ecosystem.
Quote of the episode
“Ransomware went…really quickly from one of those cyber crime problems that perhaps wasn’t an enormous priority for us in law enforcement, all the way through to being a national security issue and the most significant cybersecurity issue faced in the UK, in a relatively short period of time.” – William Lyne (Head of Cyber Intelligence, National Crime Agency (NCA))
Minute-by-minute episode breakdown
2 | William Lyne’s background going from Astro-Physics into Cyber Crime at NCA
4 | Introduction to Phil Larratt and unpacking a 100 Million Pound “Vishing” fraud case
8 | The scale of the LockBit Ransomware syndicate and affiliates
14 | Operation Cronos and how law enforcement infiltrated an entire ransomware ecosystem
18 | Blockchain intelligence’s role in fighting cyber crimes like ransomware
23 | Government’s covert operations against ransomware hackers
27 | The impact on the ransomware ecosystem post-LockBit takedown
30 | New UK Law enhances crypto asset seizure capabilities to fight cyber crime
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: National Crime Agency (NCA): The deployment of ransomware remains the greatest cyber serious and organised crime threat to the UK
- News: Operation Cronos: International investigation disrupts the world’s most harmful cyber crime group
- Project: RUSI: Ransomware Harms and the Victim Experience
- Announcement: Announcing Chainalysis’ 2024 U.S. Public Sector Customer Awards Program
- Report: Chainalysis Money Laundering and Cryptocurrency Report (Available Now)
- Report: [REPORT PREVIEW] Malign Interference and Crypto: How Crypto Transaction Tracing Can Expose and Disrupt Malign Influence Efforts
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: Building trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- William Lyne (Head of Cyber Intelligence, National Crime Agency (NCA))
- Phil Larratt (Director of Investigations, Chainalysis)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
All right. Welcome, everyone, to another episode of Public Key. This is your host, Ian Andrews. Today, I’m very excited to bring you a special show. We’re going to talk deep on ransomware. I’ve got Will Lyne, who’s the head of cyber intelligence at the National Crime Agency in the United Kingdom, and my colleague, Phil Larratt, who is director of investigations, works across the UK and the European continent with some of our most important strategic customers. Gentlemen, welcome to the program.
Will:
Thanks very much for having me.
Phil:
Morning, Ian. Thanks for having us.
Ian:
Yeah. We’ve been trying to schedule this for months, so I am pumped to talk about this today. Will, before we jump into ransomware specifics, you’ve got a super interesting background. As I usually do, I was doing a little bit of LinkedIn stalking this morning before the show, and you’ve got a degree in astrophysics and now you’re in the line of police work, focusing on cyber crime. Maybe just a brief background on how you went from astrophysics to where you are today.
Will:
Yeah, I can’t say that I’m using my degree a whole amount of time in my current role, but I went to university, even though it feels like a million years ago now, and I wanted to be a scientist. I was really interested in that topic and astrophysics, but didn’t take long of actually being at university to realize that actually, that probably wasn’t a life for me. But really enjoyed it. Really, really fascinating kind of degree to do. But when I finished … I’ve always just been guided by doing stuff that’s really interesting. For me, life and what you do is all about that Sunday evening feeling.
And I kind of just stumbled into my current role, really. Saw it, thought it looked really interesting and applied, and that was my route into law enforcement. There was no preconceived plan or I’d never dreamt of being in law enforcement or being in the police, but stumbled into it. But yeah, since, I guess, fate led me down that road, yeah, I’ve loved every minute of it. It’s been a really varied and fascinating career.
Ian:
And talk a little bit about your unit, the National Cyber Crime Unit within the NCA, for people that maybe aren’t familiar with UK law enforcement structure kind of responsibilities and focus of your organization, and then what do you specifically do as head of cyber intelligence?
Will:
So, the NCA, so National Crime Agency, as you say, is a little bit like federal law enforcement in the UK. So, I have a national remit and we lead on SOC, or serious organized crime. So, the agency more broadly is kind of five-and-a-half thousand people, something like that. The National Cyber Crime Unit, in comparison, which is where I work, is relatively small, it’s only about 300 people, and we are really focused on what can be described as pure cyber crime or cyber-dependent crimes. So, the types of offenses that you can generally only commit with a computer. So, ransomware’s a really obvious example of that, and there’s lots of others.
I appreciate that that kind of definition is a little bit outdated now. Actually, lots of offending happens on this kind of spectrum, but that’s specifically the remit of the National Cyber Crime Unit. And yeah, my role is to lead the intelligence function on cyber for the agency, which is a really varied and really fascinating job.
Ian:
Amazing. We’re going to get more into the job itself. But Phil, I don’t want to forget about you. You and Will actually worked together for a number of years, but you’ve been here at Chainalysis for about three years. Talk a little bit about the transition from policing into the private sector and what you do here at Chainalysis.
Phil:
Yeah. Thanks, Ian. So yeah, I left the National Crime Agency about three-and-a-half years ago, and so prior to that I’d spent, I think, 12, 13 years in UK law enforcement, so at Greater Manchester Police and then at the National Crime Agency. Now, I’ve been in crypto investigations for over a decade, so since the start of 2014, and that took up a lot of my role at the National Crime Agency, working with Will in cyber crime, particularly around ransomware.
So, in terms of the transition, yeah, I decided to make the jump like three-and-a-half years ago. Now, in terms of my role now, I’m the director of investigation Chainalysis, and that’s on the international team, so anything outside of the US. And I manage a team of investigators who provide specialist support to both the public and the private sector across the world.
Now, what I would say is in terms of my role in the private sector, it’s probably as close as I could be to the public sector without actually being in the public sector. So, we work very closely with partners from across different agencies across the world, and like I say, providing that sort of specialist and advanced support in relation to crypto investigations.
Ian:
Amazing. Now, I have a note here that you were involved in an investigation, 100 million pound vishing fraud case that ran between 2014 and ’16. I have to admit, I’ve never heard the term vishing before. Can you unpack that one for us? What was this all about?
Phil:
Yeah. I mean, the term vishing, it was new to me at the time as well. It’s essentially phishing, but with voice calls. So, we call it vishing.
Ian:
Oh.
Phil:
And yeah, there was a big case back in 2013, 2014 in the UK. Essentially, an organized crime group, they were targeting legal firms, big businesses, using this social engineering techniques, essentially calling up on the phone purporting to be from the fraud department at various UK banks. And then, through a really advanced and very professional sort of approach, they were able to essentially get the required details to log into a victim’s online banking platform. And then, essentially, they’d dissipate the funds once they have gained access to their bank account.
Essentially, what they’d then do is have a network of money mules across the UK who’d received these funds. So, they did it in different chunks of payments. And then, that’d be sort of layer one. And then, they’d have another layer of money mules, that’d be a layer two. And then, layer three. And then, eventually, what this crime group would do working with their professional money launderers would be to cash all of this money out at banks and at ATMs and get that cash back to the crime group who committed the vishing in the first place, minus, obviously, all the fees that they paid for these money launderers to layer the proceeds of crime.
Ian:
Unbelievable. Now, Will, you mentioned that a big part of the focus of your unit is on ransomware. Maybe set some context for listeners, how big a problem is ransomware in the United Kingdom?
Will:
Yeah, it’s really significant. And I think ransomware went from one of those threats that emerged in the mid to late 2010s, and it was kind of an issue running in the background, but actually, it went really quickly from one of those cyber crime problems that perhaps wasn’t an enormous priority for us in law enforcement, all the way through to being a national security issue and the most significant cybersecurity issue faced in the UK, in a relatively short period of time.
But yeah, you only have to look at some of the recent attacks that have been in the media to recognize how acute the issue of ransomware is in terms of the impact on victims, not just from a financial perspective, but from broad spectrum of harms. RUSI have done some really interesting research in the UK, it’s a think tank in the UK, about the harms run much more deeply than just the financial impact on victims. So yeah, huge priority for us within the National Cyber Crime Unit, recognizing it is the most significant cyber crime and cybersecurity threat facing most people in the UK.
Ian:
Well, and I think one of the things that people find so frustrating about ransomware is most of the threat actors seem to reside in Russia, sort of outside of the reach of law enforcement. And so, they operate, in many cases it feels like with impunity, right? They swoop in, they disrupt technology systems of victims, they demand these huge sums of money, which even if you pay them in certain cases, you don’t necessarily get resolution of the technology issues. And then, there’s obviously all the fallout from victim data being leaked that you have to deal with.
So, it’s a really disruptive crime that doesn’t seem to have an easy resolution, but I think your organization led the way in something called Operation Cronos, which is going to be the big focus of our conversation today, against LockBit. So, maybe we can start with a bit of background on what LockBit is and then dive into what is Cronos and what we are actually able to do here. Will, do you want to start with some background on LockBit?
Will:
Yeah. So, LockBit’s been around for a number of years and was one of the biggest, if not, I think, easily the biggest ransomware-as-a-service groups operating out there. So, providing a capability for people to come in, called affiliates, effectively buy into the ransomware scheme and utilize the capabilities and the platform that LockBit provided as a service to them, and in return, paying a percentage of the cut of ransoms received. So, in a nutshell, that was it.
But yeah, LockBit was a really big group and really, really prolific in terms of, you look at the victimization volumes from things like data leak sites and things like that. Yeah, many thousands of victims around the world over the time that it was operating.
Ian:
Phil, maybe you can fill in some details from an on-chain perspective, when we look at the cryptocurrency payments being made to LockBit or where some of the funds distribute from there, anything notable that you would add?
Phil:
Yeah, definitely. So, I think if we look at LockBit, and just to what Will said before, it’s been active since, I think, 2020, 2021. It deploys this very successful affiliate model. And if we just take a look at the on-chain data, we can see well over 2,000 different victims who’ve made payments to LockBit over the course of its life cycle. There’s a minimum there of like $120 million worth of payments, but we believe this to be a lot higher.
And like I say, it’s demonstrated before Operation Cronos, a lot of resilience, really. It’s been around since 2021. I think its revenue then was around the eighth-highest in terms of the different ransomware variants, and it became more and more successful as a business model. And by 2023 and early 2024, I think it was the second-highest in terms of the revenue that it was ultimately generating.
And like Will touched on before, just in terms of how the LockBit model worked, they had hundreds of different affiliates who were buying into the program, using the LockBit malware and then wreaking havoc and utter devastation to victims, not just in Europe but across the world.
Ian:
Well, and I had an interesting guest on the podcast recently from Kivu Consulting, which is one of the companies that try and help victims of ransomware deal with the fallout and the recovery process. And he had a very interesting stat that said their analysis indicated only about a third of victims actually pay. So, if we take your 2,000 victims, we can almost sort of assume that they probably carried out at least 6,000 attacks, just on that relative basis. So, incredibly prolific given the timeframe that we’re talking about, just the last few years.
So, Will, how does your organization decide, “Okay, LockBit is somebody that we want to go after.”? Where does the prioritization of resources and focus, how do they pop up on the radar?
Will:
Yeah. It’s really interesting, and it’s changed quite a lot over time as the number of ransomware groups has increased. So, back when I was working on ransomware with Phil a fair few years ago now, there was probably a relatively small number of significant ransomware groups victimizing people in the UK and around the world at any one point in time. So, Phil almost felt like a dozen ransomware groups is enough for one organization and enough for one team to be able to track and to be able to put some monitoring around that. But now, as we’ve seen this threat proliferate, ransomware-as-a-service is a massive part of that in terms of lowering the barrier of entry, and just the sheer number of groups that we see operating nowadays means that yeah, you cannot actively work on dozens and dozens, 50, 70, 80 ransomware groups at once.
So yeah, we have an internal prioritization mechanism that draws in data from not just the NCA, but from a number of different partners, including industry, that help us prioritize the ones that we really should be focusing on the most, but really difficult, actually. And that is a huge challenge, because often these groups appear out of nowhere a little bit and can rise to prominence really, really quickly in a way that perhaps you don’t expect. So, predicting or trying to understand which ransomware groups in the future will be a problem, I think is really, really hard. That predictive element is really difficult.
And yeah, I think that that problem is only going to get worse in many respects, as we’ve seen the market fragment quite significantly. I think it feels a little bit like the era of having these really big ransomware affiliate programs and ransomware-as-a-service groups operating may be over, perhaps I’ll be speaking too soon. But yeah, are we going to see the likes of ALPHV/BlackCat, LockBit, Conti-type groups operating again? Maybe not. Many more for us to track and many more for us to prioritize and allocate our resource against.
Ian:
I wonder if it’s similar to what we’ve seen happen in the dark net market category, where if you’re running a relatively small dark net market, it seems like you can get away with it for a period of time, and then once you get very big like Silk Road or Hydra scale, it just attracts so much attention that it becomes impossible to evade law enforcement. I don’t know if maybe that philosophy is bleeding over a little bit into the ransomware world, and so, they’re intentionally constraining growth to a degree, or maybe it’s just the ransomware-as-a-service model that’s encouraging them to splinter?
Will:
Yeah, I would say it can feel a little bit like we’re entering into this, you could say post-truth era within this kind of ransomware market or ecosystem, whereby perhaps trust has bottomed out quite a bit in these centralized platforms.
Trust in a big affiliate programs has decreased quite significantly on the back of not just law enforcement action, but the action that criminals are taking against themselves, right? When you see exit scams. You mentioned dark markets, Incognito is a really infamous one now in the news about scamming a call with the vendors and sellers on that. So, yeah, perhaps we are moving into that … I don’t know if post-truth is the best way to describe it, right? But a decreased era of trust, and I think that influences some of the behavior of the threat actors online, certainly.
Ian:
Yeah, that’s a great point. If people aren’t familiar with Incognito Market, the individual or group of individuals that was running the marketplace, at some point, they shut it down and then notified all the buyers and sellers, who I believe had been told all their information was anonymous and not being collected, that in fact, it was all being collected, all their transaction activity, all the things they bought and sold and where they were sent. And that if they didn’t pay a fee, that information would be disclosed publicly, sort of doxing them and all the criminal activity they’d participated in. I imagine that had to bring a bit of a smile to the faces of yourself and people in your team, Will.
Will:
Yeah. Yeah, unexpected, pretty effective take down in some respects, but yeah, perpetrated by the threat actors themselves.
Ian:
Yeah, it’s fantastic. So, let’s shift gears and talk about Operation Cronos. So, obviously, at some point LockBit rises to that level of prioritization where your organization and international law enforcement partners say, “We need to do something about this. This is becoming too much of a problem.” How do you get started? What is Operation Cronos? And then, what were you able to accomplish?
Will:
Yeah, it’s a really good question. I would say that all of these threats, virtually all of the activity that we’re doing nowadays is worked with our international partners, predominantly those from what you might call the Five Eyes. So, US and Australia, Canada, New Zealand, but also with our European partners, too. And often, that work is through Europol, where there’s different task forces and it’s a really great platform for us to come together and engage with international partners.
But yeah, that’s one of the things about the nature of the cyber crime threat in many respects, isn’t it? That what you see and is a priority in the UK is often mirrored by our partners and allies in the West. So, what is a really common threat in the UK is a really common threat in the US and is the same in lots of our European partner countries. So yeah, coming together often involves that initial starting point is all about that deconfliction, understanding who’s doing what and the stages at which investigations might’ve got to. And then, coming together and convalescing really around that common goal, disrupting the threat and delivering the outcomes that we want to. And coming together, as I said, on platforms like Europol is really, really powerful for us, to enable us to do that.
Ian:
That’s fascinating. I’m curious, when you think about a takedown operation of something where you’ve got this large affiliate model, is the idea that if you sort of cut off the head or the people actually distributing malware in this case, that potentially wipes out all the affiliate work? Or, do you have to somehow plan a targeted action that incorporates all the affiliates as well? Take me through as a non-law enforcement professional, what does the operation look like as you’re planning to take some disruptive action?
Will:
So, you’re looking at it as a ransomware scheme or as a business model and looking at it in its entirely really. And I don’t know if I’m going to get my basketball analogy wrong here, but we’re really looking for that all-court press to try to stress the network in multiple different points. So, not just the ransomware operators and people like LockBitSupp, but also the affiliates. And so, looking at it from that end-to-end perspective is really, really important. Looking for those key nodes, looking where we can have maximum impact, and designing the operation around that is massively important. So yeah, where possible we go for that kind of all-court press type of [inaudible 00:21:29].
Ian:
Yeah. Phil, I’m curious, let me bring you back into the conversation a little bit here, because I think given our cryptocurrency tracing capability, this often gives us the map of that affiliate network. Was that the case here with LockBit?
Phil:
Yeah, 100%. So, I mean, one of the beauties of blockchain intelligence is its transparency. At the start of this call, I was speaking about an old investigation, pre-crypto, that I was dealing with over 10 years ago now, and the funds were layered through different bank accounts. And the only way you could get that information from a bank account was go to court, you get a court order, you serve a subpoena, legal process, you get that information back, usually back then it was by a fax machine. You get that information, you then look at where those funds have gone, and then you go back to court again, you get further information. And then, suddenly, like two years has gone, okay? Two years has passed. With the blockchain, we can do it instantly and with Chainalysis data, we can see how these affiliates are operating between different ransomware strains.
So, they may use LockBit, but then for example, they may go and use a different strain, and we can see that. We’ve got a sort of 30,000-foot view of the blockchain. So, it’s an invaluable tool to sort of fully exploit financial intelligence and see where these funds are going. And look, I spoke to Will on various occasions about the cyber crime ecosystem, and Will touched on it then in terms of having that kind of whole system approach. And we can see the payments that are being made from victims to these different affiliates and to these different ransomware strains. But we can also see these individuals, these groups making payments to other parts of the ecosystem, whether that be access brokers, infrastructure providers, cyber crime forums, fraud shops, mixing services, so on and so forth. So, using Chainalysis, using our data, we can get so much insight which we can then ultimately utilize to develop intelligence, try and secure evidence, try and take down some of these services, try and seize assets, and so on and so forth.
Will:
It’s really powerful, isn’t it? Because I think crypto is the thing that really revolutionized that cyber crime ecosystem in many respects, and it changed the way a lot of the threat actors are operating, because it not just provides a really good way for you to trade within that ecosystem. So, previously to buying and selling things, you are trading amongst criminals. What you are doing is criminal. So, how do you introduce trust into that? Well, actually, crypto is an interesting way for you to be able to purchase things within that ecosystem, or sell things, I should say.
So, it’s really interesting in that perspective. And there’s loads of leads and opportunities, as Phil mentioned, in that, but then also, crypto transformed that cash-out element for these are financially motivated actors, they’re in it for a payout. And previously, cashing out cyber criminal schemes, whether it be going back to, say for example, the Dridex days where you are looking to get access to peoples’ bank accounts, you might have had to have had mules, money mules within the jurisdiction where you’re going after accounts, who then have to transfer money from that compromised account to their account and then maybe cash it out, and then maybe purchase some goods, and then perhaps post them, perhaps post them back to Moscow and then sell them on the black market.
That’s really complicated and expensive to run as a cyber criminal. So, you are losing 60 to 80% of your profits by the time you realize them, whereas crypto allows you to realize that value really, really quickly and efficiently, and much more cheaply than in the past. So, that’s where it kind of revolutionized and unlocked ransomware as a business model going after organizations for big payouts. But with that opportunity comes opportunity for law enforcement as well, I’d say, good and bad.
Ian:
That’s right, an advantage for them, but one that I think we’ve been able to turn back on them in some cases, which is exciting. So, with LockBit, your organization was able to actually gain access to some of their systems. Take us through that story.
Will:
Yeah. So, getting access to the data was really an incredible, amazing opportunity for us. The kind of access and insight that in law enforcement, we get quite rarely. And loads of crypto opportunity in that as well, actually, I should say. So, you have the crypto addresses that are assigned by the ransomware group, so by LockBitSupp, will give you the crypto address where you are supposed to send your 20% cut of any ransoms that you’re making. But then, we have copies of the chats and negotiations, so there’s addresses that are provided to victims where in some cases or quite a few cases, that’s where 100% of any ransom payment may have gone to.
And there’s other nuances to that as well, whereby if ransoms were over $500,000, that you were supposed to actually provide two addresses, and so, the ransom administrators got their 20% cut directly. So yeah, kind of like a world of opportunity, not just on the crypto front but on a lot of other fronts for us. But it’s the type of access and insight that is really fascinating, helps us understand that business model more and really helps us design the most impactful disruptions as well.
Ian:
I have to imagine that listeners are wondering, how does the government hack into the hackers? What was the means or methodology, if you’re able to talk about it, that allowed you to gain access?
Will:
So, we can’t talk about specific tactics or techniques that we utilize.
Ian:
Okay.
Will:
Except to say, yeah, we were able to fully compromise the data and the platform on which the group was operating and get access and insight to that for a relatively extended period of time, which then allowed us to aim to protect victims and design the most impactful international collaborative disruption possible, really.
Ian:
And yeah, from what I’ve read about this, you actually had access to their systems for a long time with them having no idea that you were on the inside collecting data, collecting information on the entire affiliate network, securing decryption keys, really kind of an amazing hidden operation. But at some point you made the decision, okay, it’s come time to shut this down. What triggers that decision point between allowing it to continue operating where you’re presumably collecting valuable intelligence, versus we’ve had enough, we’re going to stop these folks from operating?
Will:
Yeah. It’s a really good question and there’s a number of different factors that lead you to it, but getting the right different operational elements lined up and involved and being able to bring those all to bear at the right moment is really, really important.
So yeah, it’s always that trade off. How long do you collect for? How long do you look for? And how long do you wait until you operationalize it? But I think we really got it at that sweet point. But of course, all of this is about protecting the public as best we’re able to, whether that be the public in the UK or overseas. Ransomware incidents, it’s not just about paying the ransom or the financial cost. Ransomware is an existential threat to lots of those victims. It’s utter, utter misery for the people that have to go through it. It has enormous financial, psychological impacts and things like that. So, we always absolutely take a victim-led approach to this as best as possible. Yeah. So, picking that moment, yeah, difficult decision. But yeah, I think we went at the right time.
Ian:
I certainly do. I would agree with that. And so, when you make that decision to then execute the takedown, take us through what you actually did because I think there were some pretty public moves here, including a version of Spotify Wrapped that was distributed, that I think was just fantastic. If you can talk us through some of those details.
Will:
So, I think it’s actually the culmination of lots of learning over time. So, we talked about this absolutely being a collaboration and a coalition of partners. And I think you can see over time our counter ransomware approach and methodology, we work really closely with international partners, share learning, share insights, always debrief and see what’s worked and what hasn’t from activity that’s gone before. And you can see, I think, through 2023, lots of different bits of activity in some way, shapes or form, perhaps include some elements of what we did around LockBit.
I think it just came together really powerfully. The technical opportunity to be able to lock out, in many respects, and utilize their own infrastructure as part of the disruption, I think was a really powerful idea. And then, use those different tabs to put all of the different elements of the disruption in there as they used to be used for providing data leak sites for victims. We were using those to provide information around what the NCA and the coalition of international law enforcement partners and some industry partners have actually done against them.
And it didn’t take long for Twitter, or, sorry, X, as I should say now, and lots of other social media platforms to jump in with memes and all sorts of stuff, which was really fun to watch and really good amplification of what we’ve done in many respects.
Ian:
I think it was great to combine the technical takedown and the lockout with also some strong public disincentives for maybe those folks that happened to be outside of the direct reach of law enforcement. You weren’t necessarily going to be able to arrest them, but making it clear that you had a tremendous amount of data on them and they were now going to be on a target list. Just trying to discourage that type of behavior in the future I thought was fantastic.
Will:
Yeah, it absolutely is. We know who they are, we know what they’ve done and we’re never going to give up working with our international partners trying to bring them to justice for the untold misery that they’ve put upon thousands of victims all around the world. So yeah, I think that is a really powerful message and it’s a really important message to impose some cost and risk against those individuals that have perpetrated these crimes, I think is really important.
Ian:
Yeah. Well, and most importantly, I think you were able to recover quite a few decryption keys as well. So, for people that were still in the midst of a recovery, maybe give them some relief where they’re able to get back the locked out systems and data that they weren’t able to access.
Will:
Yeah. And some powerful messaging for victims in there, not just of LockBit, but future victims in terms of yeah, when you are paying for extortion-only attacks, for example, your data’s not necessarily being deleted. Who would’ve though it? You can’t trust cyber criminals. Things like that, I think, really powerful again in terms of from an impact perspective.
Ian:
Yeah. Phil, shifting over to you, maybe we can zoom out a little bit. I know that last year was the biggest year ever that we had seen in terms of ransomware payments, first time it exceeded a billion dollars. What have we seen through first half of 2024? And in light of take down like LockBit, is that disrupting the overall ecosystem or is there a bit of a squeezing a balloon effect here, where we take down one and activity migrates to maybe some of the other strains or we see some of the other folks amp up their activity?
Phil:
Yeah. Look, I appreciate we’re only seven months into the year, but it is looking like another very strong year for ransomware. From a crypto payments perspective, it’d be good to get Will’s insight in terms of the data leaks, but from a payments perspective, it’s looking quite similar to last year.
Now, I think an important point to note is that ultimately this will probably look quite different from a blockchain analytics perspective, because essentially, what LockBit has done, what that disruption has done and what the BlackCat disruption has done is displace a lot of these affiliates. So, they may start using or they are using other types of ransomware to further their attack. Now, it’s difficult to measure directly the impact. It is very much kind of a war of attrition with these individuals and with these different crime groups. So, I don’t want to negate or undermine any of the amazing work that’s going on from both the public and the private sector in relation to ransomware, but it’s often a case of trying to keep the devil down in the hole, really.
Ian:
Yeah. Will, I’m curious your perspective, what’s been the experience post-takedown? Are you seeing activity spike in other areas? Are you seeing maybe a decline in terms of attacks, at least temporarily?
Will:
Yeah, I would say from an ecosystem perspective, it absolutely is quite attritional for us, and what we really want to do as the NCA and with our partners is really contest that space much more vigorously than we perhaps have done in the past. So, going after all of the different cyber criminal elements that you need to run a successful ransomware scheme, whether that be access … The info stealers, we’ve seen some fantastic work coordinated out of the Europol and Op Endgame, around that recently, whether it be the monetization of it, whether that be through the ransomware-as-a-service platforms as LockBit was an example of.
But in terms of the disruption, yeah, absolutely, so we’ve seen a decrease from a LockBit perspective. We’ve seen lots, I think, of efforts to try to maintain the brand and reputation of LockBit, but I think is now pretty shot to bits, actually. Lots of really old victims just duplicating those on the leak site, some claiming some really big victims that actually turned out that that’s been not true. Posting some victims relating to other ransomware groups, which has been quite interesting, again, we just think to try to boost the reputation on there.
And yeah, there are the LockBit malware source coders is out there as well, so some LockBit victimization that may be reported. Obviously, it wouldn’t be on the leak site potentially, but it might not actually relate to the ransomware-as-a-service group. We are still seeing some attacks, but generally our feeling and some work we’re doing at the moment is to try to understand the level of sophistication of those, that our feeling at the moment is, is that that is lower. So, the impacts of the Cronos Operation, we think has been pretty significant.
But yeah, I think, as I think Phil touched on first answering the question, this is really difficult. Understanding that measurement of effect piece in the same way that going after and designing and delivering disruptions against these individuals through all the jurisdictional issues and things like that is really challenging. Then understanding the impact is really hard as well. If you have changed behavior, how do you measure that behavior? You have to wait and see how that manifests over time. So yeah, we will see how that evolves over the year.
And on the scale points, yeah, roughly speaking, I think we are tracking ransomware on a scale at a similar level to we saw in 2023. But I think when you dig down the next layer of detail into that, it will look a little bit different in terms of the volume of groups operating, for example. So, it’ll be interesting to see how it pans out over the rest of the year.
Ian:
Well, we’re certainly rooting for you here. One question I wanted to ask about, there was some press around a recent law that was passed in the UK, allowing for crypto asset seizure, even, I believe prior to an arrest of an individual. Has that shifted the landscape a bit in your favor, being able to when you know that … Excuse me, when you know that there’s illicit proceeds or victim funds sitting in a crypto wallet someplace, does this give you an advantage to be able to, when you can gain access to it, obviously, to be able to seize those and take them away from the criminal actors?
Will:
Yeah, obviously all kind of powers and capabilities that are new to us, yeah, obviously really fantastic, and for us to be able to bring to bear in the fight against cyber crime. I would also probably add, it’s not just necessarily ransomware and cyber crime we’re talking about. That cyber crime ecosystem and crypto is actually utilized and leveraged by a range of different threat actors, whether that be people operating on online fraud, people buying and selling commodities on the internet, particularly drugs. So yeah, really fantastic that we now have that additional capability that we’re still working through and doing some bits with within the NCA, but I think we’ll see used a lot more moving forward in the future.
Ian:
Amazing. Well, we’re certainly fans of all the great work that you and your team have done over the years. I’m curious, listeners out there, we have a lot of people from law enforcement or that are in prosecutor roles or other functions within government. What can we do to be helping you be more successful in stopping some of these criminals?
Will:
Really good question. I think we are getting better at engaging and working with our partners in the public and private sector. We absolutely recognize that we can’t do this alone, and the insight and knowledge that exists out there and the capability that exists out there is really second to none. And so, yeah, partnering, collaborating, sharing is a huge part of delivering success in this space. And as I said, no law enforcement organization or body is going to be an island and delivering these types of big disruptive operations alone.
So yeah, the more engagement … There’s a number of different routes to engage with us as the NCA and there’s route to engage all different levels of the law enforcement system in the UK, whether it be at a force level or a regional crime unit level, or a national level. So yeah, I’d absolutely encourage people to engage and help with the fight.
Ian:
Wow. I think that’s a fantastic place to wrap the conversation. Will, it’s been really interesting to have you on the podcast. Phil, thank you for joining me today as an occasional co-host. Gentlemen, really appreciate it.
Will:
Thanks, Ian. Thanks, Phil.
Phil:
Thanks for your time, Ian, and Will, hugely appreciate it. Thank you.