Despite the LockBit Ransomware-as-a-Service (RaaS) gang claiming to be back after a high-profile takedown in mid-February 2024, an analysis reveals significant, ongoing disruption to the group's activities, along with ripple effects throughout the cybercrime underground, with implications for business risk. LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, according to investigators, easily making it the biggest financial threat actor group of the last year. Since it emerged in 2020, it has claimed thousands of victims and millions in ransom, including cynical hits on hospitals during the pandemic.
See: https://redskyalliance.org/xindustry/ion-lockbit
The Operation Cronos effort, involving multiple law enforcement agencies around the world, led to outages on LockBit-affiliated platforms, and a takeover of its leak site by the UK's National Crime Agency (NCA). Authorities then used the latter to make arrests, impose sanctions, seize cryptocurrency, and more activities related to the inner workings of the group. They also publicized the LockBit admin panel and exposed the names of affiliates working with the group. They noted that decryption keys would be made available, and revealed that LockBit, contrary to its promises to victims, never deleted victim data after payments were made.
In all it was an informed show of force and access from the policing community, spooking others in the ecosystem in the immediate aftermath and leading to wariness when it comes to working with any re-emergent version of LockBit and its ringleader, who goes by the handle "LockBitSupp." Researchers noted that, two and a half months after Operation Cronos, there is little evidence that things are turning around for the group, despite LockBitSupp's claims that the group is working its way back into normal operations.
Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent, high-profile takedowns of RaaS groups like Black Basta, Conti, Hive, and Royal (not to mention the infrastructure for initial access trojans like Emotet, Qakbot, and TrickBot), have resulted in only temporary setbacks for their operators. The LockBit strike is different: The sheer amount of information that law enforcement was able to access and make public has permanently damaged the group's standing in Dark Web circles.
While they often focus on taking out command and control infrastructure, this effort went further. It saw police manage to compromise LockBit's admin panel, expose affiliates, and access information and conversations between affiliates and victims. This cumulative effort has helped to tarnish the reputation of LockBit among affiliates and the cybercrime community in general, which will make it harder to come back from. The fallout from the cybercrime community was swift. LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hampering the admin's ability to garner support and rebuild.
Shortly after, a user on X (formerly Twitter) called "Loxbit" meanwhile claimed in a public post to have been cheated by LockBitSupp, while another presumed affiliate called "michon" opened up a forum arbitration thread against LockBitSupp for nonpayment. One initial-access broker using the handle "dealfixer" advertised its wares but specifically mentioned that they did not want to work with anybody from LockBit. And another IAB, "n30n," opened a claim on the ramp_v2 forum about loss of payment surrounding the disruption.
Perhaps worse, some forum commentators were extremely concerned by the sheer amount of information that police were able to compile, and some speculated that LockBitSupp may even have worked with law enforcement on the operation. LockBitSupp quickly announced that a vulnerability in PHP was to blame for the ability of law enforcement to infiltrate the gang's information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit's security practices and lack of protection for affiliates.
The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group's future, hinting at the significant impact of the incident on the RaaS industry. The disruption has initiated some self-reflection among other active RaaS groups: A Snatch RaaS operator pointed out on its Telegram channel that they were all at risk.
Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown. Reputation and trust are key to attracting affiliates, and when these are lost, it's harder to get actors to return. Operation Cronos succeeded in striking against one element of its business that was most important: its brand.
Cyber threat investigators noted that this can be a time for businesses to reassess their defense models as we may see a slowdown in attacks while these other groups assess their own operational security. This is also a time to review a business incident response plan to make sure you have all aspects of a breach covered, including business operation continuity, cyber insurance, and the response to pay or not pay.
New Tor leak sites launched recently and LockBitSupp said on ramp_v2 forum that the gang is actively seeking out IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn't long before scores of supposed victims started appearing on the leak site, starting with the FBI. When the ransom payment deadline came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy declaration that it would continue to operate. In addition, more than two-thirds of the victims consisted of re-uploaded attacks that occurred prior to Operation Cronos. Of the others, the victims belonged to other groups, such as ALPHV. In all, Trend Micro's telemetry revealed just one small true LockBit activity cluster after Cronos, from an affiliate in Southeast Asia that carried a low, US$2,800 ransom demand.
The group has also been developing a new version of ransomware Lockbit-NG-Dev. and it appears to have a new .NET core, which allows it to be more platform-agnostic; it also removes self-propagating capabilities and the ability to print ransom notes via the user's printers.
"The code base is completely new in relation to the move to this new language, which means that new security patterns will likely be needed to detect it. It's still a functional and powerful piece of ransomware," researchers warned. These are anemic signs of life at best for LockBit, and it is unclear where it or its affiliates may go next. Defenders will need to be prepared for shifts in ransomware gang tactics going forward as those participating in the ecosystem assess the state of play. RaaS groups are likely looking at their own weaknesses being caught by law enforcement. They may review what types of businesses/organizations they target so as to not give much attention to their attacks. Affiliates may look at how they can rapidly shift from one group to another in case their main RaaS group gets taken down. Always have a plan B.
Shifting towards data exfiltration only versus ransomware deployments may increase as these don't disrupt a business, but can still allow profits. RaaS groups may shift entirely towards other attack types, like Business Email Compromise (BEC), which do not seem to cause as much disruption, but are still very lucrative for the attacker’s profits.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.darkreading.com/threat-intelligence/lockbit-ransomware-takedown-strikes-brand-viability
Comments