Like most operators out there, we Truly I appreciated the news last month about international law enforcement agencies shutting down LockBit, one of the largest in the world the most profitable ransomware gangs.
Ransomware has become a global problem over the past 10 years, with modern ransomware groups effectively operating as complex businesses. Over the past year or so, several governments and private companies have worked together to dismantle these gangs. The coordination bodies involved Operation Chrono used LockBit’s infrastructure to publish details of the gang’s operations. For example, LockBit leak site was used to publicize the removal: arrests in multiple countries, available decryption keys, information about the authors, and so on. This tactic not only serves to embarrass LockBit, but is also an effective warning to the group’s affiliates and other ransomware groups.
Screenshot of the LockBit leak site after removal summarizing law enforcement activities. (Source: Aaron Walton.)
This activity against LockBit represents a major victory, but ransomware remains a significant problem, also from LockBit. To better combat ransomware, the cybersecurity community needs to consider some lessons learned.
Never trust criminals
According to the UK’s National Crime Agency (NCA), there have been cases where a victim paid LockBit, but the group did not delete data from its servers as promised.
This is not unusual, of course. Many ransomware gangs fail to do what they say they do, whether it’s providing a method to decrypt files or continuing to store stolen data (rather than deleting it).
This highlights one of the key risks of paying a ransom: the victim trusts a criminal to hold up their end of the bargain. Revealing that LockBit was not deleting data as promised severely damages the group’s reputation. Ransomware gangs must maintain an appearance of trustworthiness, otherwise their victims will have no reason to pay them.
It is important that organizations prepare for these eventualities and have plans in place. Organizations should never assume that decryption will be possible. Instead, they should prioritize creating thorough disaster recovery plans and procedures in case their data is compromised.
Share information to draw connections
Law enforcement organizations, such as the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the United States Secret Service, are always interested in attackers’ tactics, tools, payments, and communication methods. These details can help them identify other victims targeted by the same attacker or by an attacker using the same tactics or tools. The information collected includes information about victims, financial losses, attack tactics, tools, communication methods, and payment requests which, in turn, helps law enforcement agencies better understand ransomware groups. The information is also used to file charges against criminals when they are caught. If law enforcement could spot patterns in the techniques used, it would reveal a more complete picture of the criminal organization.
In the case of ransomware-as-a-service (RaaS), agencies employ a two-pronged attack: destroying both the group’s administrative staff and its affiliates. Administrative staff are generally responsible for managing the data leak site, while affiliates are responsible for distributing ransomware and encrypting networks. Administrative staff favor criminals and, without their removal, will continue to favor other criminals. Affiliates will work for other ransomware gangs if administrative staff is cut.
Affiliates use infrastructure that they have purchased or accessed illegally. Information about this infrastructure is exposed by their tools, network connections, and behaviors. Administrator details are exposed through the redemption process: In order for the redemption process to take place, the administrator provides a communication method and a payment method.
While the significance may not seem immediately valuable to an organization, law enforcement and researchers are able to leverage these details to reveal more about the criminals behind them. In the case of LockBit, law enforcement was able to use details from past incidents to plan disruptions to the group’s and some affiliates’ infrastructure. Without this information, gathered with the help of victims of the attacks and allied agencies, Operation Cronos probably would not have been possible.
It is important to note that organizations do not need to be victims to help. Governments are eager to collaborate with private organizations. In the United States, organizations can join the fight against ransomware by partnering with CISA, which formed the Joint Cyber Defense Collaborative (JCDC) to build global partnerships to share critical, timely information. The JCDC facilitates two-way information sharing between government agencies and public organizations.
This collaboration helps both CISA and organizations stay ahead of trends and identify attacker infrastructure. As the LockBit takedown demonstrates, this type of collaboration and information sharing can provide law enforcement with a critical advantage against even the most powerful attacker groups.
Present a united front against ransomware
We can hope that other ransomware groups take the action against LockBit as a warning. But in the meantime, we continue to be diligent in protecting and monitoring our networks, sharing information and collaborating, because the threat of ransomware is not over. Ransomware gangs benefit when their victims believe they are isolated, but when organizations and law enforcement work side by side to share information, together they can stay one step ahead of their adversaries.