Features 26.03.2024

The Lowdown on the Takedown: LockBit Ransomware Group

Say hello to LockBit 3.0

The story of the takedown of prolific ransomware operation LockBit is so wild it could be fiction. Kate O’Flaherty reports on what happened, whether it will have real impact, and what it means for businesses.

At 4pm Eastern Time on February 19 2024, authorities including the UK National Crime Agency (NCA), Federal Bureau of Investigation (FBI) and Europol pounced on prolific ransomware operation LockBit, seizing its darknet sites and arresting two people.

Five days later at a press conference, the FBI’s cyber deputy assistant director Brett Leatherman confirmed a joint operation involving 10 countries had “disrupted LockBit’s front and back-end infrastructure in the US and abroad”.

Dubbed Operation Cronos, the LockBit raid was different to previous takedowns, which would see law enforcement seize leak site pages and disrupt the ransomware operation.

“It’s very hard to see the LockBit brand surviving this” Mark Stockley

This time, lawmakers played ransomware criminals at their own game. It began with a social engineering operation, retaining the functionality of LockBit’s dark web leak sites but replacing victim posts and doxing LockBit-affiliated adversaries.

Law enforcement obtained 30,000 Bitcoin addresses used for managing the group’s profits from ransom payments, containing 2,200 BTC (£89 million / $112 million). Meanwhile, a decryptor for the group’s latest malware, LockBit 3.0, was made using the seized keys and released for free on the website of anti-ransomware initiative No More Ransom.

“The NCA has taken control of LockBit’s primary administration environment, which enabled affiliates to build and carry out attacks, and the group’s public-facing leak site on the dark web, on which they previously hosted, and threatened to publish, data stolen from victims,” a post on the NCA’s website reads.

“Instead, this site will now host a series of information exposing LockBit’s capability and operations, which the NCA will be posting daily throughout the week.”

It’s a wild story and it’s not over yet, with LockBit claiming to have returned just five days after the initial raid. Yet so far, the LockBit takedown is widely viewed as a success.

Some of the PR commentary Assured Intelligence received says otherwise, with many commentators suggesting law enforcement still haven’t caught the main kingpins, and the group will just come back under another name.

So, what’s the real story and what can be learnt from the LockBit takedown operation?

LockBit by another name

First spotted in 2019, LockBit had become the world’s most successful ransomware operation, responsible for up to a third of all leaked data at any given time. As part of the ransomware-as-a-service (RaaS) model, the group worked closely with affiliates who compromised victim organisations and deployed malware.

“LockBit is looking to rebuild its reputation, but all of the major affiliates who worked with them will have to reassess their own operational security carefully”Robert McArdle

Following the high-profile takedown, Rebecca Moody, head of data research at Comparitech says the industry’s “cynical thoughts” about LockBit’s return were correct: “The takedown doesn’t appear to have had a huge impact on operations. After a few quiet days, LockBit returned with new ransomware claims and perhaps a point to prove.”

In January of this year, before the takedown, Moody says Comparitech logged 49 unconfirmed claims from LockBit and nine confirmed attacks. Fast-forward to February and there were 92 unconfirmed claims from LockBit, says Moody.

While she concedes only one claim has been confirmed via LockBit for February 2024 – Groton Public Schools in the US – she says: “Cyber attacks as a result of these tend to follow over the next month, so this figure will likely increase.”

Yet other experts argue the takedown has already had an impact. While there have been a lot of “bravado type comments” from LockBit admins and members of the criminal underground, the reality is “less assured”, says Robert McArdle, director of Trend Micro’s Forward Looking Threat Research team, which played a key role in the disruption of LockBit and collaborated with global law enforcement in the takedown.

It has only been a short time since the disruption, but currently ransomware leak volumes are down significantly, he says. “LockBit is looking to rebuild its reputation, but all of the major affiliates who worked with them will have to reassess their own operational security carefully.”

McArdle acknowledges that a lot of the PR messaging saw the raid as “just another takedown”, and that “without arrest, it will have no effect”.

This is true when talking about past takedowns, where the people involved are still at large, have the code, and it’s not hard to spin up another server and get operations working again, says McArdle.

Disruption, not takedown

But this operation was “fundamentally different”, he says. “The goal was always disruption, not takedown. Everyone involved knew that LockBit would have the technical capability to restart their operations, and they have already tried, but that’s not the goal of a disruption.”

Instead, says McArdle: We do everything we can to make it impossible for the target business – LockBit in this case – to survive.”

This means destroying the reputation of the key actors; driving a wedge between the group and its affiliate network; and making it risky for any other criminals to consider doing business with LockBit.

It was all about tactics. McArdle describes how the operation detailed the technical aspects of Lockbit-NG-Dev – the group’s newest version of its data-locking malware – to make it impossible to use it for a LockBit 4.0 relaunch or re-brand. “We also detailed a collection of their issues and difficulties. These were all generally public before but putting it in one place showed just how dysfunctional this organisation was.”

The law enforcement operation will deal a “significant blow” to the group’s operations, says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest. It is likely members will feel apprehensive about continuing their involvement with a group who have been so heavily targeted by law enforcement, leaving themselves open to future identification or prosecution, he says. However, it’s possible that members will take their experience to flee to alternative ransomware groups, or otherwise start their own operations, he concedes.

LockBit 3.0

It’s true that LockBit can rebrand at any time, but that’s not a simple process, says Keegan Keplinger, senior threat researcher at eSentire’s Threat Research Unit. “Tactics, techniques, procedures and infrastructure must be refactored, branding and leak site redesigned, and a new ransomware strain needs to be written. This takes time and resources.”

McArdle details some positive developments relating to claims of new LockBit attacks in the days after the disruption. “In every case we looked at these, they are not LockBit, but Bl00dy or other ransomware based on the leaked build of LockBit 3.0.”

“After a few quiet days, LockBit returned with new ransomware claims and perhaps a point to prove”Rebecca Moody

He concedes that LockBit did come back with a new leak site, which listed victims. However, the vast majority of these are old leaks republished “to make them look more active than they are”.

Going forward, the primary unanswered question is how much of LockBit group is left intact, and what they will do next, says Mark Stockley, senior threat intelligence researcher at Malwarebytes. “It’s very hard to see the LockBit brand surviving this, so I expect it will either rebrand or disperse into other groups in the way that Conti did. But will anyone want to work with them?”

Only time will tell how much real impact the operation has had, but for businesses, there are takeaways to consider. A concerning revelation from the recent takedown is the discovery of stolen data from entities that had previously paid ransoms, says Adam Harrison, managing director in the cybersecurity practice at FTI Consulting. This underscores the fact that ransom payments do not guarantee data deletion by ransomware operators, he says.

LockBit’s basic security hygiene was also an issue. There are indications that vulnerabilities in unpatched infrastructure operated by LockBit facilitated this takedown, Harrison says. “If there were any doubts about the importance of regular patching, let this serve as a valuable lesson.”

Two days in the life of the LockBit takedown (via Trend Micro)

  • 19 February 2024: Law enforcement agencies, including the NCA in the UK, take over all LockBit leak site pages – replacing them with a splash page and a countdown promising more information. Affiliates who log in are greeted with personalised messages telling them politely that the NCA will be in touch.
  • 20 February 2024: A “Lockbit Leak Site” is created, but with a twist: Law enforcement is leaking data on the attackers instead. Countdowns run each day with more revealed as the week goes on, including:
    • Decryptors for the malware
    • Leaks of the backend panels
    • Full list of affiliate usernames
    • Arrests of three individuals in Poland and Ukraine
    • Unsealed indictment naming five others key members in Russia and offering financial rewards for information leading to their capture
    • Further international sanctions making it illegal for anyone to pay the individuals or support them, or their accounts or assets can also be seized
    • Cryptocurrency tracking and seizure

Latest articles

Be an insider. Sign up now!