International Operation Hits Major Ransomware Player LockBit

Ransomware payments hit a record high in 2023, but law enforcement is fighting back. The US and UK led an international operation that disrupted LockBit. The ransomware-as-a-service group has been one of the biggest names in ransomware. Last year, it hit victims like ICBC Financial Services, CDW, and Taiwan Semiconductor Manufacturing Company (TSMC). The group has exploited more than 2,000 victims and raked in more than $120 million in ransom payments, according to the US Department of Justice.

What does this law enforcement operation mean for LockBit’s future and for the ongoing battle against ransomware?

The Operation

If you visit LockBit’s data leak website, you’ll be greeted by a message stating that the site is under the control of law enforcement. LockBit’s public-facing leak site is also now host to information on the group’s operations. The seizure of the website was just a part of the international operation.

The Federal Bureau of Investigation (FBI), the UK’s National Crime Agency (NCA), and partners in nine other countries banded together to create Operation Cronos. As a part of that operation, FBI breached LockBit’s servers using a PHP exploit, according to BleepingComputer.

“They were running PHP and as a result that … led to a whole cascade of takeovers and reconnaissance campaigns,” explains Richard Cassidy, field CISO at data security company Rubrik.

Related:LockBit Redux: Ransomware Gang Demands $80M, Leaks CDW Data

In addition to seizing public-facing websites and servers used by administrators, the international partners were able to develop decryption tools for LockBit’s victims. The Operation Cronos taskforce also resulted in freezing more than 200 cryptocurrency accounts linked to LockBit, according to the NCA.

“It’s very professional, and this is different than what we have seen before,” says Ferhat Dikbiyik, PhD, head of research and intelligence at Black Kite, a third-party risk management software and solutions company.

Law enforcement published names of LockBit affiliates, which places additional pressure on the group. “The affiliates probably got spooked because of their names [are] out there,” says Dikbiyik.

Operation Cronos has also led to the identification and charging of individuals involved with the group. “We have now charged a total of five LockBit associates, and our investigation remains ongoing,” Attorney General Merrick B. Garland said in a statement on the operation. The NCA shared that Europol, the EU’s law enforcement agency, coordinated actions to arrest two LockBit actors in Poland and Ukraine.

Related:LockBit Hits TSMC for $70 Million Ransom: What CIOs Can Learn

The Impact

Cybercriminal groups have proven to be adaptable in the past. How could this operation impact LockBit and its ability to continue operations?

In the near-term, law enforcement’s seizure of a sizeable chunk of its infrastructure and the release of decryption tools hampers the group’s ability to operate and to extort victims for ransom payments.

It is possible individuals involved with LockBit could attempt to reorganize under the same name or a different name. It is also possible they will seek retaliation after the disruption of operations, according to Yossi Rachman, senior director, research at Semperis, an active directory security and recovery platform.

“After the initial shock, they will probably try to regroup and try to hit back either under the same name or other names,” he says.

Trend Micro released research in coordination with the NCA, sharing that LockBit is developing a new version of its encryption malware. Trend Micro is tracking the variant as LockBit-NG-Dev.

What will the long-term impact be?  “It’s going to depend on a few different factors, including the resilience of their infrastructure, the ability of their leadership to regroup, the effectiveness of law enforcement potentially tracking and prosecuting those individuals,” says Matthew Corwin, managing director at consulting company Guidepost Solutions.

Related:2023 Ransomware Payments Hit $1.1B Record

Dikbiyik expects it will be difficult for LockBit to recover. “They may dismantle into smaller ransomware groups,” he says. “We witnessed that in the Conti ransomware group.”

Potential Power Plays

Whether LockBit will be able to regroup, or its players will disperse, remains to be seen. In the wake of this law enforcement action, other ransomware groups may enter a temporary quiet period, determining their own risk of compromise. But any lull in activity will likely be short lived. “Once the dust settles, they’ll try to fill LockBit’s vacuum as soon as possible,” says Rachman.

ALPHV/Blackcat is another active ransomware group. In 2023, the FBI offered a decryption tool to more than 500 of the group’s victims as part of a disruption campaign. And law enforcement continues to go after this group. The US Department of State is offering up to $10 million for information leading to the group’s leaders.

Clop, the ransomware gang behind the MOVEit breach, is a potential candidate to fill a gap left by LockBit. “There are some other players climbing up the ranks: Akira, Play, Rhysida,” says Dikbiyik. “These are other candidates, but I don't think any of them have enough resources to be as large as LockBit.”

The Ongoing Battle

Law enforcement’s blow to LockBit is progress in the battle against ransomware. “If law enforcement is able to sustain this type of response and then reduce the amount of time criminals are able to operate profitably, so increase the tempo of these kind of operations and scale these kinds of operations, it will eventually impact the volume and even the viability of these groups … by impacting their financial model,” says Corwin.

While enterprise leaders may breathe a sigh of relief following LockBit’s disruption, the risk of ransomware is still very much alive. LockBit’s players might regroup. Affiliates could bring their skills to other groups. Different ransomware groups could ramp up their activity. And as law enforcement agencies continue to learn and leverage more sophisticated techniques against ransomware groups, threat actors will also be stepping up their game.

“When a group like this gets caught in the way they have been, it means that other groups are going to look at ways to circumnavigate these types of infiltration techniques by agencies, and they are only going to get smarter and more the nefarious in their activities,” Cassidy cautions.

In addition to financially motivated groups like LockBit, there are state-sponsored threat actors that will use ransomware attacks against their victims. “Those will continue to exist and even more so with everything that's going on right now in the geopolitical situation,” says Rachman.

In this landscape, enterprises and their security teams will need to remain vigilant. Knowing the common tactics, techniques, and procedures (TTPs) leveraged by ransomware groups and a keen understanding of an enterprise’s vulnerabilities is vital.

“How … can [enterprises] monitor actively for indication of these kind of TPPs in their networks, in their information systems, and how [are they] going to be able to react to that?” asks Corwin. Cyber resilience is an important concept to embrace in the face of ongoing ransomware attacks. 

Attorney General Garland stressed the important role ransomware victims play in actions taken against groups like LockBit. “Actions like today’s would not be possible without victims reporting their ransomware attacks to law enforcement,” he said in his remarks.