(Updates with takedown of Lockbit website on Monday)

SAN FRANCISCO/LONDON, Feb 20 (Reuters) - A cybercriminal group named Lockbit, which was broken up by an international law enforcement operation this week, has hacked some of the world's largest organisations in recent months, stealing and leaking their sensitive data if they didn't pay ransom. Here are some details about the group:

WHERE IS LOCKBIT FROM?

Lockbit was discovered in 2020 when its eponymous malicious software was found on Russian-language cybercrime forums. On Tuesday, the U.S. Justice Department charged two Russian nationals with deploying Lockbit ransomware against companies and groups around the world. Police in Poland and Ukraine made two arrests.

The gang has not professed support for any government nor has any government formally attributed it to a nation-state. "We are located in the Netherlands, completely apolitical and only interested in money," the gang said on its now defunct darkweb site.

In just three years, it had become the world's top ransomware threat, according to U.S. officials. Nowhere has it been more disruptive than in the United States, hitting more than 1,700 American organisations in nearly every industry from financial services and food to schools, transportation and government departments. Among its victims was defense and aerospace giant Boeing . Last November, Lockbit leaked a cache of internal data it had obtained by breaching Boeing's systems. Earlier in 2023 the gang's hack into the financial-trading services group ION disrupted operations at customers that included some of the world's biggest banks, brokerages and hedge funds.

It also breached the Industrial and Commercial Bank of China(ICBC), disrupting trading in the market for U.S. Treasury securities.

HOW DOES LOCKBIT TARGET ORGANISATIONS?

The cybercrime gang infected a victim organisation's system with ransomware - malicious software that encrypts data - and then coerced targets into paying ransom to decrypt or unlock it. Such ransom is usually demanded in the form of cryptocurrency, which is harder to trace and gives the receiver anonymity.

U.S. and other officials in a 40-country alliance had been trying to stem the global scourge of ransomware by sharing intelligence between nations on the cryptocurrency wallet addresses of such criminals.

On the dark web, Lockbit's blog displayed an ever-growing gallery of victim organisations that was updated nearly daily. Next to their names were digital clocks showing the number of days left to the deadline given to each organisation to provide ransom payment, failing which, the gang would publish the sensitive data it had collected.

Often victim organisations will seek the help of cybersecurity companies to identify what data was leaked and negotiate ransom amounts with the hackers. Such behind-the-scenes talks usually remained private and could sometimes take days or weeks, according to security analysts.

It was common for some victim names to not show up on the Lockbit blog if the threat was made privately.

HOW DID LOCKBIT OPERATE?

In part, Lockbit's success depended on its so-called "affiliates" - likeminded criminal groups that were recruited to wage attacks using Lockbit's digital extortion tools.

On its website, the gang boasted of its successes in hacking various organisations and laid out a detailed set of rules for cybercriminals who could submit an "application form" to work with them. "Ask your friends or acquaintances who already work with us to vouch for you," one of those rules said.

This web of alliances between cybercriminal groups makes tracking such hacking activity and attempts to ransom victims difficult, since their tactics and techniques can vary with each attack. (Reporting by Zeba Siddiqui in San Francisco and James Pearson in London; Editing by Rod Nickel and Sandra Maler)