Global law enforcement agencies, including the FBI, disrupted the activities of the formidables LockBit ransomware gangtaking control of its platform and seizing data associated with its global ransomware-as-a-service (RaaS) operation.
The information obtained from the operation – called Operation Cronos – includes the source code, details of the ransomware victims, stolen data, decryption keys and the amount of money extorted from LockBit and its affiliates, according to a message from the authorities appearing in an affiliate who is logged in to LockBit. control Panel. The news first broke on February 19 when a screenshot of that message was displayed has been published on Vx-Underground’s X (formerly Twitter) account, an online archive of the malware’s source code, samples and documents.
The message quoted “Lockbitsupp [sic] and its faulty infrastructure” as the reason for the seizure and was signed off by the FBI, the UK National Crime Agency (NCA), Europol and the Operation Cronos Law Enforcement Task Force.
The NCA subsequently confirmed the police activity in a press release published today, claiming to have taken control of LockBit’s main administrative environment and the group’s public leak site on the Dark Web. Affiliates have used the former to create and execute attacks, while the latter is where LockBit hosted and published (or threatened to publish) the stolen data from victims.
“Instead, this site will now host a series of information exposing LockBit’s capabilities and operations, which the NCA will publish daily throughout the week,” according to the release.
Authorities also seized the source code of the LockBit platform and a large amount of information from their systems about their activities and those who worked with them, the NSA confirmed. They have also obtained a thousand LockBit decryption keys and the respective authorities will be in contact with the victims to help them use the keys to recover the data.
LockBit “Flaw” used against it
“LockBitSupp” is the threat actor/tech support service that runs the LockBit operation, using the Tor messaging service to communicate with affiliates. LockBitSupp’s account status on that service now shows a message that authorities have breached the ransomware operation’s servers using a PHP exploit, according to a published report.
The vulnerability used to compromise LockBit is tracked as CVE-2023-3824, a flaw present in PHP version 8.0 prior to 8.0.30, 8.1. before 8.1.22 and 8.2. before 8.2.8, according to Vx Underground. In vulnerable versions, reading PHAR directory entries while loading a PHAR file can result in an “insufficient length check” which can lead to a stack buffer overflow, which in turn can potentially lead to “memory corruption or RCE”, depending on the vulnerability. entry in the NIST National Vulnerabilities Database.
The NCA did not confirm how authorities breached LockBit’s operations, but said the technical infiltration and disruption “is just the beginning of a series of actions against LockBit and its affiliates.” As part of the group operation, Eurpol also arrested two LockBit actors in Poland and Ukraine, while more than 200 cryptocurrency accounts linked to the group were frozen.
RaaS targeted by law enforcement
LockBit is without a doubt the largest RaaS operation in the world, which has been rampantly plundering organizations and their data through customized malware tools and a network of cybercriminal affiliates since it first appeared on the scene in 2019. Between 2020 and June last year, the group extorted approximately $91 million through 1,700 cyber attacks against United States organizations.
Although LockBit’s initial victims were small to medium-sized companies, the group gained confidence over the years and began targeting larger, more recognizable organizations. Some of his more recent victims included an aircraft manufacturer Boeingsandwich maker Subway, Hyundai Motor EuropeAND Bank of Americaamong others.
Due to the size and scope of its activity, LockBit has long been in the crosshairs of global authorities and even before Operation Cronos some members of the group had already been arrested.
In June last year, the US Department of Justice arrested and indicted a Russian national, Ruslan Magomedovich Astamirov, for his role as a LockBit affiliate in at least five attacks between August 2020 and March 2022. Astamirov was the third defendant charged by the DoJ in connection with the global LockBit ransomware campaign and the second defendant to be arrested.
CISA recommended mitigations for ransomware
While experts believe that actions of the police will certainly slow the pace of the group’s attacks in the immediate future, they will likely not entirely prevent LockBit and its affiliates from participating in ransomware activity – an assessment borne out by the resurgence of the Black Cat/AlphaV AND Cl0p bands after their dismantling.
“In time… they will reappear, probably under a different name, with current members will likely join or found other successful gangs,” notes Yossi Rachman, senior director of research at security firm Semperis, in an email to Dark Reading.
“That’s why it’s important for organizations to remain vigilant to avoid compromises from the group,” he says. To this end, Cybersecurity Infrastructure and Security (CISA) published a list of indicators of compromise (IOC) of the ea group ransomware series of mitigating factors (PDF) to reduce the risk of compromise.
Recommendations made by the agency include requiring that all accounts with password access have strong, unique passwords that are not reused across multiple accounts or stored on a system that an adversary could have access to. Organizations should also require the use of multi-factor authentication (MFA) for all services, to the extent possible, particularly for webmail, virtual private networks, and accounts accessing critical systems.
CISA also recommends that organizations keep all operating systems and software updated, prioritizing patching of known exploited vulnerabilities. Removing unnecessary access to administrative shares and/or limiting privileges can also prevent ransomware authors from accessing corporate systems.
Other recommendations made by the agency include using a host-based firewall that only allows connections to administrative shares via message block (SMB) servers from a limited set of administrator machines, and enabling protected files in the Windows operating system to prevent unauthorized changes to critical files.