On February 19, 2024, the LockBit cybercriminal group was severely disrupted by law enforcement agencies from North America, Europe, and Asia.
The operation involved Britain's National Crime Agency (NCA), the U.S. Federal Bureau of Investigation, Europol, and Canadian authorities, and was known as "Operation Cronos." It resulted in the seizure of 34 servers, took over the group's Tor-based leak sites, froze cryptocurrency accounts, and harvested technical information on this Ransomware as a Service (RaaS) operation.
Authorities also announced they obtained 1,000 decryption keys that will help victim organizations recover their data without paying a ransom. They arrested two individuals suspected of being involved in the operation.
Authorities said they gained "unprecedented and comprehensive access to LockBit's systems" and, to taunt the criminals, they replaced existing posts on the seized leak site with messages containing reports on the group's activities, information on arrests, details on rewards and sanctions, and even suggesting they know who the LockBit leader is and that he "has engaged with law enforcement."
However, shortly afterward, an individual involved with this RaaS group, using the alias "LockBitSupp", launched a new leak site that lists hundreds of victim organizations and which contains a long message providing his view on the takedown.
Some experts interpret the response as one of desperation and an attempt to restore credibility, which the LockBit group badly needs. The LockBit 'brand' has suffered months of decline.
According to Trend Micro, despite accounting for roughly 25 percent of the ransomware attacks over the past year, LockBit has had difficulties in attracting and retaining affiliates, has shown technical difficulties with its leak sites, and has delayed the release of a new ransomware variant. Ionut Arghire "LockBit Ransomware Gang Resurfaces With New Leak Site" securityweek.com (Feb. 26, 2024)
Commentary
According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), in 2022, LockBit was the most deployed ransomware variant across the world and will continue to be prolific for years. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.
LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Ransoms are divided between the affiliates and the malware provider. According to the FBI, in the U.S. alone, there have been about 1,700 attacks, and approximately $91 million in ransom paid by victims since LockBit activity was first observed in the U.S. on January 5, 2020.
The most common ways LockBit, or any other malware, gain access to an under-protected system include users visiting infected sites, brute force attacks, or through email or text-based phishing expeditions.
These common methods of infection give guidance as to the means of hardening your organization's cyber defenses. CISA has many recommendations, including requiring passwords compliant with the National Institute of Standards and Technology (NIST), coupled with two-factor authentication.
Other suggestions include requiring administrative credentials to install hardware, use of email filters, keeping all operating systems, software, and firmware up to date, and restricting accounts from remotely accessing other systems.
Phishing is one of the primary infection vectors in ransomware campaigns, and all employees should receive practical training on the risks associated with the regular use of email.
Finally, organizations are encouraged to develop a recovery plan, maintain offline backups of data following the 3-2-1 backup strategy, and ensure all data is encrypted, rendering it useless for exploitation.
