Although ransomware-as-a-service (RaaS) group LockBit claims to be back following a high-profile takedown in mid-February, an analysis reveals significant and ongoing disruptions to the group’s operations, along with ripple effects across the underground cybercrime, with business risk implications.
According to Trend Micro, LockBit was responsible for 25% to 33% of all ransomware attacks in 2023, making it the largest financial threat actor group of the past year. Since it emerged in 2020, it has claimed thousands of lives and millions in ransoms, including cynical attacks on hospitals during the pandemic.
THE Operation Cronos effort, which involved multiple law enforcement agencies around the world, led to disruptions of LockBit-affiliated platforms and the takeover of the leak site by the UK’s National Crime Agency (NCA). The authorities then used the latter to make arrests, impose sanctions, seize cryptocurrencies and other activities related to the internal functioning of the group. They also advertised LockBit’s admin panel and exposed the names of affiliates working with the group.
Furthermore, they noted that decryption keys would be made available and revealed that LockBit, contrary to what it promised victims, never deleted victims’ data after making payments.
Overall this was a clever display of strength and access by the law enforcement community, which scared others in the ecosystem in the immediate aftermath and led to mistrust when it comes to working with any re-emerging versions of LockBit and of his gang leader, who goes by to manage “LockBitSupp.”
Trend Micro researchers noted that, two and a half months after the Cronos operation, there is little evidence that things are changing for the group, despite LockBitSupp’s claims that the group is returning to normal operations.
A different kind of fight against cybercrime
Operation Cronos was initially met with skepticism by researchers, who pointed out that other recent high-profile takedowns of RaaS groups such as Black Basta, Accounts, Hiveand Royal (not to mention the infrastructure for initial access trojans like Emotion, Qakbotand TrickBot), have resulted in only temporary setbacks for their operators.
However, the LockBit strike is different: the enormous amount of information that law enforcement was able to access and make public has permanently damaged the group’s standing in Dark Web circles.
“While they often focus on removing command and control infrastructure, this effort went further,” Trend Micro researchers explained an analysis published today. “He saw police succeed in compromising LockBit’s admin panel, unmasking affiliates, and accessing information and conversations between affiliates and victims. This cumulative effort has helped tarnish LockBit’s reputation among affiliates and the cybercrime community in general, which will make it harder to come back from.”
Indeed, the fallout from the cybercrime community has been swift, Trend Micro noted. For one, LockBitSupp has been banned from two popular underground forums, XSS and Exploit, hindering the administrator’s ability to get support and rebuild.
Shortly thereafter, an X (formerly Twitter) user called “Loxbit” claimed in a public post that he had been scammed by LockBitSupp, while another alleged affiliate called “michon” opened a forum arbitration thread against LockBitSupp for non-payment. An initial access broker using the handle “dealfixer” advertised his products but specifically mentioned that he did not want to work with anyone from LockBit. And another IAB, “n30n”, opened a complaint on the ramp_v2 forum about lost payment due to the outage.
Perhaps worse, some forum commenters were extremely concerned about the sheer amount of information the police had managed to gather, and some speculated that LockBitSupp might even have collaborated with law enforcement in the operation. LockBitSupp quickly announced that a vulnerability in PHP was the cause of law enforcement’s ability to infiltrate the gang’s information; Dark Web denizens simply pointed out that the bug is months old and criticized LockBit’s security practices and lack of protection for affiliates.
“The cybercrime community’s sentiments toward the LockBit outage ranged from satisfaction to speculation about the group’s future, suggesting the incident’s significant impact on the RaaS industry,” according to Trend Micro’s analysis, published today.
The Chilling Effect of LockBit’s Disruption on the RaaS Industry
Indeed, the outage sparked some thinking among other active RaaS groups: one Snatch RaaS operator pointed out on his Telegram channel that they were all at risk.
“Disrupting and undermining the business model appears to have had a much greater cumulative effect than performing a technical takedown,” according to Trend Micro. “Reputation and trust are key to attracting affiliatesand when these are lost, it is more difficult to convince people to return. Operation Cronos managed to hit the most important element of its business: its brand.”
Jon Clay, vice president of threat intelligence at Trend Micro, tells Dark Reading that the LockBit defang and the chilling effect of the outage on RaaS groups generally present an opportunity for enterprise risk management.
“This may be the time for companies to reevaluate their defense models as we may see a slowdown in attacks as these other groups evaluate their operational security,” he notes. “This is also the time to review a business incident response plan to ensure you cover all aspects of a breach, including continuity of business operations, cyber insurance and response: to pay or not to pay.”
LockBit’s signs of life are greatly exaggerated
LockBitSupp is still trying to recover, Trend Micro has found, albeit with few positive results.
New Tor escape sites were launched a week after the operation, and LockBitSupp said on the ramp_v2 forum that the gang is actively searching for IABs with access to .gov, .edu, and .org domains, indicating a thirst for revenge. It wasn’t long before dozens of alleged victims began appearing on the leak site, starting with the FBI.
However, when the deadline for paying the ransom came and went, instead of sensitive FBI data appearing on the site, LockBitSupp posted a lengthy statement that it would continue to operate. Furthermore, more than two-thirds of the casualties consisted of reloaded attacks that occurred before Operation Cronos. Other victims belonged to other groups, such as ALPHV. Overall, Trend Micro telemetry revealed only a small true cluster of LockBit activity after Cronos, from an affiliate in Southeast Asia that brought a low ransom demand of $2,800.
Perhaps most worryingly, the group has also developed a new version of the ransomware: Lockbit-NG-Dev. Trend Micro has discovered that it has a new .NET core, which allows it to be more platform independent; It also removes self-propagation capabilities and the ability to print ransom notes via user printers.
“The code base is completely new in relation to the move to this new language, which means that new security models will likely be needed to detect it. It is still a functional and powerful ransomware,” the researchers warned.
However, these are anemic signs of life at best for LockBit, and Clay notes that it’s unclear where it or its affiliates might go next. Overall, he warns, defenders will need to be prepared for changes in ransomware gangs’ tactics in the future as those participating in the ecosystem evaluate the state of play.
“RaaS groups are probably looking for their weaknesses to be discovered by law enforcement,” he explains. “They could review what types of companies/organizations they target so they don’t pay as much attention to their attacks. Affiliates could consider how to quickly switch between groups in case their primary RaaS group is eliminated.”
He adds: “The shift towards data exfiltration only versus ransomware deployments may increase as these do not disrupt a business, but can still enable profits. We may also see RaaS groups shift entirely towards other types of attacks, such as business email compromise (BEC)which don’t seem to cause much inconvenience, but are still very profitable for their bottom line.”