In an act of exquisite trolling, the UK's National Crime Agency has announced further details about its disruption of the LockBit ransomware group by using the group's own dark web website.
Since the demise of Conti in 2022, LockBit has been unchallenged as the most prolific ransomware group in the world.
In the last 12 months it has racked up more than two and half times as many known attacks as its closest rival.
This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, 'Operation Cronos'.
The real treat was an updated version of the LockBit website that returned it to something resembling its former self.
Until yesterday, the secret dark web site was used to list details of the organizations being held to ransom by LockBit.
In a graphic illustration of just how comprehensively the LockBit group has been compromised, the green squares now detail published information about the takedown, while red squares tease further reveals for the coming days.
Today, after infiltrating the group's network, the NCA has taken control of LockBit's services, compromising their entire criminal enterprise.
As well as taking over the leak site, law enforcement agencies have taken over LockBit's administration environment, seized the infrastructure used by LockBit's data exfiltration tool, Stealbit, captured over 1,000 decryption keys, and frozen 200 cryptocurrency accounts.
Criminal affiliates who logged into the compromised environment were warned that the NCA knows all about their activities too, and the NCA reports that 28 servers belonging to LockBit affiliates have been taken down, too.
There are numerous reveals promised for the next few days, but the most tantalising is the imminent uncloaking of LockBit's leader and spokesperson, LockBitSupp.
In other words, it mimicked perfectly the way that ransomware gangs troll the world and each other.
The NCA signaled that it knows all about LockBit and the broader community of criminals it belongs to.
It knows that LockBit's affiliates and rivals will be watching, and looking over their shoulder.
Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Use EDR or MDR to detect unusual activity before an attack occurs.
Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Keep backups offsite and offline, beyond the reach of attackers.
Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
You can learn more about the threat of big game ransomware like LockBit and ALPHV in our 2024 State of Malware report.
This Cyber News was published on www.malwarebytes.com. Publication date: Tue, 20 Feb 2024 19:43:05 +0000