For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency shut it down this week.
Though it's likely that the dozens of independent affiliates that distributed and deployed LockBit on victim systems will continue operations using other RaaS providers, their ability to continue with LockBit itself appears unviable for the moment.
The international effort resulted in law enforcement taking control of LockBit's primary administrative servers that allowed affiliates to carry out attacks; the group's primary leak site; LockBit's source code; and valuable information on affiliates and their victims.
Over a 12-hour period, members of the Operation Cronos taskforce seized 28 servers across three countries that LockBit affiliates used in their attacks.
They also took down three servers that hosted a custom LockBit data exfiltration tool called StealBit; recovered over 1,000 decryption keys that could potentially help victims recover LockBit-encrypted data; and froze some 200 LockBit-connected cryptocurrency accounts.
The initial break appears to have resulted from an op-sec failure on LockBit's part - an unpatched PHP vulnerability that allowed law enforcement a foothold on LockBit's environment.
15 Million Reward The US DoJ on the same day also unsealed an indictment that charged two Russian nationals - Ivan Kondratyev, aka Bassterlord, one of the most prominent of LockBit's many affiliates, and Artur Sungatov - for ransomware attacks on victims across the US. The department also disclosed that it presently has in custody two other individuals, Mikhail Vasiliev and Ruslan Astamirov, on charges connected to their participation in LockBit.
With the new indictment, the US government says it has so far charged five prominent LockBit members for their role in the crime syndicate's operation.
On Feb. 21, the US State Department amped up pressure against LockBit members by announcing rewards totaling $15 million for information leading to the arrest and conviction of key members and leaders of the group.
The Department of Treasury joined the fray by imposing sanctions on Kondratyev and Sungatov, meaning that any future payments that US victims of LockBit make to LockBit would be strictly illegal.
In executing the takedown, law enforcement left somewhat mocking messages for affiliates and others related to LockBit on sites they had seized during the operation.
Some security experts viewed the trolling as a deliberate attempt by Operation Cronos to shake the confidence of other ransomware actors.
The operation follows a string of similar successes over the past year, including takedowns of ALPHV/BlackCat, Hive, Ragnar Locker, and Qakbot, a widely used ransomware dropper.
A Challenge to Rebuild While other groups have rebounded following similar takedowns, LockBit itself might have a bigger challenge getting restarted.
These include the theft and subsequent leak of the builder for LockBit by a disgruntled member in September 2022 that allowed other threat actors to deploy ransomware based on LockBit code.
LockBit's reputation as a trusted RaaS player among cybercriminals also has taken a hit following rumors of its refusal to pay affiliates as promised, the security vendor said.
Recently, LockBit's administrative team has come under significant pressure from a reliability and reputation standpoint following a ransomware attack on Russian company AN Security in January involving LockBit ransomware, says Aamil Karimi, threat intelligence leader at Optiv.
Bohuslavskiy of RedSense says suspicions about a LockBit administrator likely being replaced by agents for Russia's foreign intelligence service has not helped the group's image either.
It was around that time that LockBit's admin suddenly went quiet, Bohuslavskiy says.
RedSense this week published a blog summarizing the findings from a three-year investigation of LockBit, based on conversations with members of the operation.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 22 Feb 2024 23:45:26 +0000