Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit

For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency shut it down this week.
Though it's likely that the dozens of independent affiliates that distributed and deployed LockBit on victim systems will continue operations using other RaaS providers, their ability to continue with LockBit itself appears unviable for the moment.
The international effort resulted in law enforcement taking control of LockBit's primary administrative servers that allowed affiliates to carry out attacks; the group's primary leak site; LockBit's source code; and valuable information on affiliates and their victims.
Over a 12-hour period, members of the Operation Cronos taskforce seized 28 servers across three countries that LockBit affiliates used in their attacks.
They also took down three servers that hosted a custom LockBit data exfiltration tool called StealBit; recovered over 1,000 decryption keys that could potentially help victims recover LockBit-encrypted data; and froze some 200 LockBit-connected cryptocurrency accounts.
The initial break appears to have resulted from an op-sec failure on LockBit's part - an unpatched PHP vulnerability that allowed law enforcement a foothold on LockBit's environment.
15 Million Reward The US DoJ on the same day also unsealed an indictment that charged two Russian nationals - Ivan Kondratyev, aka Bassterlord, one of the most prominent of LockBit's many affiliates, and Artur Sungatov - for ransomware attacks on victims across the US. The department also disclosed that it presently has in custody two other individuals, Mikhail Vasiliev and Ruslan Astamirov, on charges connected to their participation in LockBit.
With the new indictment, the US government says it has so far charged five prominent LockBit members for their role in the crime syndicate's operation.
On Feb. 21, the US State Department amped up pressure against LockBit members by announcing rewards totaling $15 million for information leading to the arrest and conviction of key members and leaders of the group.
The Department of Treasury joined the fray by imposing sanctions on Kondratyev and Sungatov, meaning that any future payments that US victims of LockBit make to LockBit would be strictly illegal.
In executing the takedown, law enforcement left somewhat mocking messages for affiliates and others related to LockBit on sites they had seized during the operation.
Some security experts viewed the trolling as a deliberate attempt by Operation Cronos to shake the confidence of other ransomware actors.
The operation follows a string of similar successes over the past year, including takedowns of ALPHV/BlackCat, Hive, Ragnar Locker, and Qakbot, a widely used ransomware dropper.
A Challenge to Rebuild While other groups have rebounded following similar takedowns, LockBit itself might have a bigger challenge getting restarted.
These include the theft and subsequent leak of the builder for LockBit by a disgruntled member in September 2022 that allowed other threat actors to deploy ransomware based on LockBit code.
LockBit's reputation as a trusted RaaS player among cybercriminals also has taken a hit following rumors of its refusal to pay affiliates as promised, the security vendor said.
Recently, LockBit's administrative team has come under significant pressure from a reliability and reputation standpoint following a ransomware attack on Russian company AN Security in January involving LockBit ransomware, says Aamil Karimi, threat intelligence leader at Optiv.
Bohuslavskiy of RedSense says suspicions about a LockBit administrator likely being replaced by agents for Russia's foreign intelligence service has not helped the group's image either.
It was around that time that LockBit's admin suddenly went quiet, Bohuslavskiy says.
RedSense this week published a blog summarizing the findings from a three-year investigation of LockBit, based on conversations with members of the operation.


This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 23:45:26 +0000


Cyber News related to Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit

Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit - For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency shut it down this week. Though it's likely that the dozens ...
10 months ago Darkreading.com
U.S. Joins U.K. to Seize LockBit Site, Disrupt Massive Ransomware Variant - The U.S. Department of Justice has partnered with the United Kingdom and international law enforcement partners in London today to announce the disruption of the LockBit ransomware group. The LockBit ransomware group is one of the most active ...
10 months ago Americansecuritytoday.com
Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates - U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ...
10 months ago Krebsonsecurity.com
Intel knew AVX chips were insecure and did nothing - Intel has been sued by a handful of PC buyers who claim the x86 goliath failed to act when informed five years ago about faulty chip instructions that allowed the recent Downfall vulnerability, and during that period sold billions of insecure chips. ...
1 year ago Theregister.com
Police arrest four suspects linked to LockBit ransomware gang - Previous arrests of Lockbit ransomware actors (some of them already charged for various offenses) include Mikhail Pavlovich Matveev (aka Wazawaka) in May 2023, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord) in February 2024, and ...
2 months ago Bleepingcomputer.com
LockBit Ransomware Targets German Energy Agency Dena - Dena, the reputed German Energy Agency, is said to have fallen victim to the notorious LockBit ransomware group. The Dena cyberattack was revealed through a post on the threat actor's dark web platform, where they disclose data breach incidents and ...
1 year ago Heimdalsecurity.com
LockBit Ransomware Gang's Website Shut Down - The U.K. National Crime Agency's Cyber Division, the FBI and international partners have cut off ransomware threat actors' access to LockBit's website, which has been used as a large ransomware-as-a-service storefront. According to CISA, LockBit was ...
10 months ago Techrepublic.com
LockBit attacks continue via ConnectWise ScreenConnect flaws - Exploitation of two critical ConnectWise vulnerabilities continues to mount, with many attacks attributed to ransomware gangs such as LockBit. Last month, ConnectWise disclosed an authentication bypass vulnerability, tracked as CVE-2024-1708, that ...
9 months ago Techtarget.com
The Week in Ransomware - This week was pretty quiet on the ransomware front, with most of the attention on the seizure of the BreachForums data theft forum. That does not mean there was nothing of interest released this week about ransomware. A report by CISA said that the ...
7 months ago Bleepingcomputer.com
What is Lockbit Ransomware? The Most Essential Things You Need to Know - Lockbit ransomware is one of the latest malware threats to hit the cybersecurity world. It has been seen in several major ransomware attacks, including the attack on the software maker Nuance Communications. Lockbit is a particularly dangerous strain ...
1 year ago Tripwire.com
Cops dismantled LockBit before latest variant hit market The Register - Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals. As part of the daily LockBit leaks this week, Trend Micro's report on the group, ...
10 months ago Go.theregister.com
Copycat Criminals mimicking Lockbit gang in northern Europe - Recent reports of Lockbit locker-based attacks against North European SMBs indicate that local crooks started using Lockbit locker variants. During the past months, the Lockbit gang reached very high popularity in the underground ecosystem. The ...
1 year ago Securityaffairs.com
Law enforcement trolls LockBit, reveals massive takedown - In an act of exquisite trolling, the UK's National Crime Agency has announced further details about its disruption of the LockBit ransomware group by using the group's own dark web website. Since the demise of Conti in 2022, LockBit has been ...
10 months ago Malwarebytes.com
The Impact of LockBits New ContiBased Encryptor on Ransomware - The LockBit ransomware gang has recently started using a new encryptor, called LockBit Green, which is based on the source code of the now-defunct Conti ransomware gang. This follows the gang's previous iterations of their encryptor, which began with ...
1 year ago Heimdalsecurity.com
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
1 year ago Heimdalsecurity.com
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
11 months ago Securityboulevard.com
LockBit targets hospitals - We did not see much research released on ransomware this week, with most of the news focusing on new attacks and LockBit affiliates increasingly targeting hospitals. These attacks include ones against Yakult Australia and the Ohio Lottery by the new ...
1 year ago Bleepingcomputer.com
LockBit claim about hacking U.S. Federal Reserve fizzles - The LockBit ransomware gang claimed it had breached the U.S. Federal Reserve, but it ultimately leaked data belonging to a single bank. On June 23, LockBit listed the U.S. Federal Reserve on its data leak site and claimed to have obtained roughly 33 ...
6 months ago Techtarget.com
LockBit lied: Stolen data is from a bank, not US Federal Reserve - Recently-disrupted LockBit ransomware group, in what appears to be a desperate attempt to make a comeback, claimed this week that it had hit US Federal Reserve, the central bank of the United States. The tall claim was followed up with LockBit ...
6 months ago Bleepingcomputer.com
The Week in Ransomware - Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks. While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to ...
10 months ago Bleepingcomputer.com
LockBit Remains Top Global Ransomware Threat - The LockBit ransomware strain continues to be the primary digital extortion threat to all regions, and almost all industries globally, according to a report by ZeroFox. Researchers found that LockBit was leveraged in more than a quarter of global ...
1 year ago Infosecurity-magazine.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
10 months ago Malwarebytes.com
Police arrested four new individuals linked to the LockBit ransomware operation - “Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure.” reads the press release published by ...
2 months ago Securityaffairs.com
Law enforcement agencies arrest 4 alleged LockBit members | TechTarget - Authorities arrested four suspected members of the LockBit ransomware gang during the third phase of the international law enforcement effort dubbed Operation Cronos. Operation Cronos' efforts to disrupt the LockBit ransomware gang continue as ...
2 months ago Techtarget.com
'Defunct' DOJ ransomware task force raises questions, concerns | TechTarget - "The Office of the Deputy Attorney General (ODAG) memorandum that established the Ransomware Task Force also contained several strategic areas, including directing the Ransomware Task Force to design and implement a strategy to disrupt and dismantle ...
2 months ago Techtarget.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)