For all its vaunted success, the LockBit ransomware operation appears to have already been plagued by problems when an international law enforcement operation led by the UK’s National Crime Agency (NCA) turn it off this week.
Reports from security vendors that emerged following the takedown paint a picture of a once innovative and aggressive RaaS (ransomware-as-a-service) group recently grappling with dissent among members and affiliates and the perception that it it was a spy by some within the criminal world. Community.
Irreparable damage?
Many believe that the law enforcement operation has likely caused irreparable damage to the criminal group’s ability to continue with ransomware activities, at least in its current form and under the LockBit brand. While the dozens of independent affiliates that have deployed and deployed LockBit on victim systems are likely to continue operations using other RaaS providers, their ability to continue with LockBit itself appears impractical for the time being.
“It’s probably too early to tell,” says Jon Clay, vice president of threat intelligence at Trend Micro, which worked with the NCA to analyze a new development version of LockBit and release indicators of compromise for it. “But because of the exposure and all the information being shared, like [LockBit’s] decryption tools, cryptocurrency accounts seized, and infrastructure removal, the group and its affiliates will likely be hindered from operating effectively.”
The NCA’s cyber division in collaboration with the FBI, the US Department of Justice and law enforcement agencies in other countries earlier this week revealed they had suffered major disruptions LockBit’s infrastructure and operations under the aegis of a months-long effort dubbed “Operation Cronos.”
The international effort resulted in law enforcement taking control of LockBit’s primary administrative servers which allowed affiliates to carry out attacks; the primary site of the group’s loss; The source code of LockBit; and valuable information on affiliates and their victims. Over the course of 12 hours, members of the Operation Cronos task force seized 28 servers in three countries used by LockBit affiliates in their attacks. They also blocked three servers hosting a custom LockBit data exfiltration tool called StealBit; recovered over 1,000 decryption keys that could potentially help victims recover data encrypted with LockBit; and froze around 200 cryptocurrency accounts linked to LockBit.
The initial outage appears to be the result of an op-sec error on LockBit’s part: an unpatched PHP vulnerability (CVE-2023-3824) which allowed law enforcement to gain a foothold in the LockBit environment.
Reward of 15 million dollars
The US DoJ also did so on the same day an indictment unveiled which charged two Russian citizens – Ivan Kondratyev, aka Bassterlord, one of the most prominent of LockBit’s numerous affiliates, and Artur Sungatov – for ransomware attacks against victims in the United States. The department also revealed that it currently has two other people, Mikhail Vasiliev and Ruslan Astamirov, in custody on charges related to their participation in LockBit. With the new indictment, the U.S. government says it has so far charged five key LockBit members for their roles in the crime syndicate’s operations.
On February 21, the US State Department stepped up pressure against LockBit members announcing prizes totaling $15 million for information leading to the arrest and conviction of key members and leaders of the group. The Treasury Department joined the fray impose sanctions on Kondratyev and Sungatov, meaning that any future payments that LockBit’s US victims make to LockBit will be strictly illegal.
In carrying out the takedown, law enforcement left somewhat mocking messages for affiliates and others connected to LockBit on the sites seized during the operation. Some security experts saw the trolling as a deliberate attempt by Operation Cronos to shake the confidence of other ransomware authors.
One reason is to “send a warning message to other operators that LEA can and will target your group for similar actions,” says Yelisey Bohuslavskiy, head of research at threat intelligence firm RedSense. “Many groups are likely currently evaluating their operational security to determine whether they have already been breached and may need to figure out how to better protect their operations and infrastructure.”
Together, these actions represented a well-deserved success for law enforcement against a group that over the past four years has caused billions of dollars in damage and extracted a staggering $120 million from victims’ organizations around the world . The move follows a series of similar successes last year, including the removal of ALPHV/Black Cat, Hive, Ragnar’s LockerAND Qakbota widely used ransomware dropper.
A challenge to rebuild
While other groups have recovered after similar deletions, LockBit itself may have a bigger challenge in restarting. In a blog following news of the removal, Trend Micro described the group as one that had succeeded he has been struggling recently stay afloat due to numerous problems. These include the theft and subsequent data leak of the LockBit builder by a disgruntled member in September 2022 which allowed other threat actors to distribute ransomware based on the LockBit code. A series of blatantly false claims about new victims and fabricated data leaked on LockBit’s site since last April have also raised questions about the group’s body count, and its increasingly frantic efforts to attack new affiliates have had “an air of desperation” around them. it, Trend Micro said. LockBit’s reputation as a trusted RaaS player among cybercriminals has also taken a hit following rumors of its refusal to pay affiliates as promised, the security vendor said.
Recently, LockBit’s administrative team has come under significant pressure from a reliability and reputation perspective following a ransomware attack against the Russian company AN Security in January involving the LockBit ransomware, says Aamil Karimi, leader of the threat intelligence at Optiv.
“Attacks against CIS countries are strictly prohibited in most RaaS operations,” says Karimi. “They faced fines and banishment from underground forums following the attack on AN Security.” What added further drama to the incident are rumors that a rival group carried out the attack deliberately to trouble LockBit, he notes.
An FSB spy?
Because of this, rival groups had many opportunities to take over the space occupied by LockBit. “There was no remorse from rival groups” after news of LockBit’s removal broke, he says. “LockBit was the most prolific of the groups, but as far as respect and reputation, I don’t think any love was lost.”
RedSense’s Bohuslavskiy says suspicions about a LockBit administrator who may be replaced by agents of Russia’s Foreign Intelligence Service (FSB) have not helped the group’s image. He says the origins of these suspicions date back to 2021, when the Russian government appeared to have taken a series of actions against ransomware operators such as REvil and Avaddon. It was around that time that the LockBit administrator suddenly went silent, Bohuslavskiy says.
“This was mainly noticed by [initial access brokers] with whom he worked directly [the administrator]”, he notes. “In August the administrator reappeared, and that’s when the IAB started saying that the person had been changed and replaced by an FSB agent.”
RedSense this week published a blog summarizing the results of a three-year investigation into LockBit, based on conversations with members of the operation.