The cyber criminals are thought to be linked to Russia. In August last year they attempted to extort a school in Leeds for information about the children, particularly about special educational needs. LockBit functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure, with the main gang taking a cut of the affiliates’ earnings.
On Monday evening, a message appeared on LockBit's website, saying it was "now under control of law enforcement".
The NCA's technical experts had been able to get inside of LockBit's own systems and take control. In doing so, they were able to steal a large amount of the criminal group's own data about its activities.
Since many companies do not admit they have been hacked and sometimes pay a ransom, this data may well provide a unique insight into the true scale of the group's work as well.
Source of information: BBC News: LockBit: UK leads disruption of major cyber-criminal gang
Further information reported by Computing says that the United States Department of Justice unsealed indictments against two alleged members of the LockBit ransomware group, as part of a broader global operation aimed at dismantling the criminal enterprise. The number of LockBit members currently charged is five. Details about the crimes and charges can be read: Computing: US Charges Russian Nationals
Disruption to the LockBit operation is significantly greater than first revealed. As well as taking control of the LockBit website, Lockbit's primary administration environment, the NCS has also seized the infrastructure that allowed it to manage and deploy the technology that it used to extort businesses and individuals around the world:
The Guardian: Seized ransomware network LockBit rewired to expose hackers to the world
What to do in the event of a Cyber Attack
Tell someone! Report to IT. Report to SLT.Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off. Isolate the infected device and pass to IT
If you are a victim of a ransomware attack we would recommend reporting this to:
Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss or your local police and ask for the cyber crime team or phone 101 and ask for the cyber crime team.
Most cyber crimes like these will also need to be reported to the ICO by your data protection officer. Our customers should email
These incidents should also be reported to the DfE sector cyber team at
Academy trusts have to report these attacks to ESFA.
Where the incident causes long term school closure, the closure of more than 1 school or serious financial damage, you should also inform the National Cyber Security Centre.
Always ensure there are backups you can restore from. Preserving evidence is as important as recovering from the crime.
Forward suspicious emails to