Global Police Operation Dismantles Infamous Ransomware Gang, Lockbit

Matt Burgess

For the last four years, the LockBit ransomware group has been on an unrelenting rampage, hacking into thousands of businesses, schools, medical facilities, and governments around the world—and making millions in the process. A children’s hospital, Boeing, the UK’s Royal Mail, and sandwich chain Subway have all been recent victims.

But LockBit’s hacking campaign has come to a juddering halt. A sweeping law enforcement operation, led by police at the UK’s National Crime Agency (NCA) and involving investigators from 10 forces around the world, has infiltrated the ransomware group and taken its systems offline.

Graeme Biggar, the director general of the NCA, says the group has been “fundamentally disrupted.” The law enforcement operation, called “Operation Cronos,” has taken control of LockBit’s infrastructure and administration system, seized its dark web leak site, accessed its source code, seized around 11,000 domains and servers, and obtained details of the group’s members. “As of today, LockBit is effectively redundant,” Biggar said at a press conference in London, appearing with law enforcement officials from the FBI and Europol. “We have hacked the hackers,” he says.

The action is one of the largest, and potentially most significant, ever taken against a cybercrime group. Biggar says the law enforcement officials consider LockBit, which is global in nature, to have been the “most prolific and harmful” ransomware group that has been active in recent years. It was responsible for 25 percent of attacks in the last year. “LockBit ransomware has caused losses of billions,” Biggar says of the overall costs of attacks and recovery.

As well as the seizing of technical infrastructure, the law enforcement operations around LockBit also include arrests in Poland, Ukraine, and the United States and sanctions for two alleged members of the group who are based in Russia. The group has members spread around the world, the officials said.

Nicole M. Argentieri, acting assistant attorney general at the US Department of Justice, says LockBit has received more than $120 million in ransomware payments and the action announced against the group is just the start of the clampdowns.

The law enforcement action against LockBit was first revealed when its ransomware website dropped offline on February 19 and was replaced by a holding page saying it had been seized by police. The LockBit group, which debuted as “ABCD” before changing its name, first appeared at the end of 2019. Since then LockBit has rapidly attacked businesses and grown its name recognition within the cybercrime ecosystem. “LockBit has been a thorn in the side of businesses and governments for years, with well over 3,000 publicly known victims and [has been] seemingly untouchable,” says Allan Liska, an analyst specializing in ransomware for cybersecurity firm Recorded Future. Lockbit’s long roster of victims include various US government organizations, ports, and automotive companies.

LockBit operates as a “ransomware-as-a-service” operation, with a core handful of members creating its malware, and running its website and infrastructure. This core group licenses its code to “affiliates” who launch attacks against companies, steal their data, and try to extort money from them. “LockBit is the last of the “open affiliate” ransomware-as-a-service offerings, meaning anyone willing to cough up the cash can join their program with little or no vetting,” Liska says. “They likely have had hundreds of affiliates over the course of their run.”

Chris Baraniuk

Stephen Armstrong

Louryn Strampe

Medea Giordano

LockBit affiliates have demanded millions of dollars from companies they hack—in one instance asking for $60 million from a car dealer based in the UK and recently setting a $800,000 ransom for a non-profit hospital. If companies refuse to pay their data is published online. Earlier this month, LockBit posted 43 GB of data allegedly stolen from defense firm Boeing.

“​​They are quite indiscriminate in their targeting,” says Brett Callow, a threat analyst at antivirus company Emsisoft. The police action is likely to be the “most significant ransomware disruption” against a ransomware group to date, Callow says. He says the group has had a “cockroach-like resilience” since it was created and the law enforcement action is likely to send “shockwaves” through the largely Russian ransomware ecosystem. “Anybody who collaborated with LockBit will be concerned that law enforcement are now in possession of info that will point to them.

Jon DiMaggio, chief security strategist at Analyst1, who has studied the group for years and been in constant contact with its leadership, says LockBit stands out from other cybercrime groups due to its “disciplined” and professionalized nature. The ransomware group has issued updates to its malware and encryption technologies multiple times and tried to stay under the radar, compared to other ransomware groups which have bragged about their activities.

DiMaggio says the leader of LockBit, who uses the online persona “LockBitSupp,” appears not to have been a technically skilled hacker themselves but more likely had a “background” in running a business and handling money. “They literally run it like it was a legitimate business,” DiMaggio says, adding that the group has strictly controlled the systems its core members use to communicate and the LockBitSupp appears to have been skilled in their operational security.

However, LockBit has also fallen into some boasting and grandstanding. The group organized an essay writing competition on a Russian-language cybercrime forum, with paid prizes for the winners. The most bizarre incident happened in September 2022 when the group offered to pay $1,000 to anyone who got a tattoo of its logo. Around 20 people posted photos and videos of tattoos on their arms, legs, wrists and more. The group has also offered a bounty of $10 million if someone successfully found and published the real name of the person behind LockBitSupp.

The takedown of LockBit comes as law enforcement agencies around the world have taken a progressively more aggressive approach to cybercrime groups in recent years. Police forces and even military hacking groups have successfully taken operations offline, in some cases claiming to create and share decryption keys to unlock encrypted files. These actions have often been accompanied by sanctions and indictments for key members of the cybercrime underground. The result has been a splintering of the cybercrime ecosystem with large-scale ransomware groups, such as Conti and Trickbot breaking up, and some of their members reforming as smaller, less effective, ransomware groups.

Chris Baraniuk

Stephen Armstrong

Louryn Strampe

Medea Giordano

The takedown operation has—for the time being, at least—stopped one of the most long-lasting, notorious, and persistent ransomware groups. But it comes as payments to ransomware groups have hit record highs, and the threat to businesses remains prolific. Data released by cryptocurrency-tracing firm Chainalysis at the start of February revealed that across the whole of 2023, ransomware payments exceeded more than $1.1 billion—the highest they’ve ever been. Many criminals are also based in Russia, which has largely turned a blind eye to their actions and very rarely extradites those wanted abroad.

While the LockBit takedown is significant, it may only be temporary. Previous ransomware groups have reformed as new brands and continued their hacking and extortion. “Disruption of the LockBit ransomware service would seriously slow down the number of ransomware attacks, even though it might be temporary,” Recorded Future’s Liska says.

Perhaps more than anything else, the takedown is likely to send a message to LockBit’s affiliates and act as a sign that the group’s brand is tainted. A screenshot shared by cybersecurity research website VX-Underground appears to show a message received by LockBit affiliates trying to log into its systems: “We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank LockbitSupp and their flawed infrastructure for this situation… we may be in touch with you very soon.”

In recent weeks, DiMaggio says, the LockBitSupp administrator has been behaving more erratically after being banned from two prominent Russian hacking forums. However, DiMaggio believes they may try to bring the group back under the same name. “The guy’s ego is so big and he’s so attached to that brand, I truly do not think that he will rebrand,” DiMaggio says. “Hopefully, it’ll be a watered down version and hopefully the real elite affiliates that now work for him will be concerned about working for him again.”

This is a developing story and is being updated with more information

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Upcoming This Week: Nintendo Direct Unveils Partner Showcase

Next Article

Enhancing Zero Trust Strategy using Secure Software Engineering (SSE)

Related Posts