Operation LockBit ransomware-as-a-service (RaaS) has relaunched its escape site, just a week later a coordinated removal operation by global law enforcement.
On February 19, the “Operation Cronos Taskforce” – comprising, among other agencies, the FBI, Europol and the UK’s National Crime Agency (NCA) – carried out a massive action. According to Britain’s National Crime Agency (NCA)., the task force destroyed infrastructure across three countries, including dozens of servers. It seized code and other valuable information, a large amount of data stolen from its victims, and over 1,000 associated decryption keys. It vandalized the group’s leak site and its affiliate portal, froze more than 200 cryptocurrency accounts, arrested a Polish citizen and a Ukrainian, and indicted two Russian citizens.
An NCA spokesperson he summed it all up on February 26thtelling Reuters that the group “remains completely compromised.”
The person added, however, that “our work to target and counter them continues.”
Indeed, Operation Cronos may not have been as complete as it first appeared. Although law enforcement managed to damage LockBit’s primary infrastructure, its leader admitted in a letterits backup systems remained intact, allowing the operation to recover quickly.
The message left on the LockBit affiliate portal; Source: vx-underground via X (formerly Twitter)
“Ultimately, this is a law enforcement strike against them,” says former FBI Special Agent Michael McPherson, now senior vice president of technical operations at ReliaQuest. “I don’t think anyone is naive enough to say this is the nail in the coffin for this group, but this is a huge blow.”
LockBit’s side of the story
It would be best to greet the LockBit leader with skepticism. “Like a lot of these guys in the ransomware space, He has a nice ego, he’s a bit unstable. And he’s known to tell some pretty tall tales when it suits his purpose,” says Kurtis Minder, ransomware negotiator and co-founder and CEO of GroupSense.
In his letter, however, the person or people Minder refers to as “Alex” strikes a particularly humble tone.
“Due to my personal negligence and irresponsibility I relaxed and did not update PHP on time,” the ransomware leader wrote, citing the critical PHP bug, rated 9.8 out of 10 by CVSS CVE-2023-3824 “as a result of this access was gained to the two main servers on which this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I can’t be sure at the moment 100%.”
Crucially, he added, “all other servers with backup blogs that did not have PHP installed are not affected and will continue to provide stolen data to the attacked companies.” In fact, thanks to this redundancy, the LockBit leak site was back up and running after a week, with a dozen victims: a lending platform, a national network of dental labs and, most notably, Fulton County, in Georgia, where former President Trump is located. currently involved in a legal battle.
Source: Bitdefender
Does law enforcement action have an impact?
For years now, US and EU law enforcement agencies have made headlines with high-profile raids against major ransomware operations: Hive, AlphV/BlackCat, Ragnar’s Locker, and so on. This despite these efforts ransomware continues to increase it can inspire apathy in some.
But following such incursions, McPherson explains, “Either these groups didn’t reconstitute, or they recovered to a lesser extent. For example, Hive hasn’t come back yet — there was interest, but it really hasn’t “. does not materialize.”
Even if law enforcement didn’t completely eliminate LockBit, it still likely caused serious damage to hackers. For example, Minder points out, “they apparently had access to some affiliate information,” which gives authorities considerable leverage.
“If I am an affiliate or other ransomware developer, I might think twice before interacting with these people in case they have turned FBI informant. So it’s creating some mistrust. On the other hand, I think they’re doing the same with LockBit by saying, “Hey, we actually know who all the affiliates are, we have all their contact information.” So now LockBit will be suspicious of its affiliates. There’s a bit of chaos. It’s interesting.”
To truly solve ransomware in the long term, however, governments may need to complement flashy cleanup operations with effective policies and programs.
“There needs to be a balanced program, perhaps at the federal government level, that actually helps in prevention, in response, in remediation. I think if we saw how much capital is actually leaving the American economy as a result of this type of activity, we would see that It would make sense to subsidize such a program, which would save people from having to pay a ransom,” he says.