Blog February 22, 2024

Beating LockBit at its Own Game: Law enforcement’s takedown of a prolific ransomware group

by Rob Ames, Senior Staff Threat Researcher; James Niven, Senior Staff Threat Researcher

After a years-long investigation, this week the FBI and law enforcement agencies in the UK and Europe took over the main website of the cybercrime group known as LockBit. Law enforcement additionally arrested LockBit associates in Poland, Ukraine, and the U.S. and the U.S. Treasury imposed sanctions on Russian nationals affiliated with the group. The joint operation re-engineered LockBit’s online system to mimic the countdown clock used by the group in its extortion attempts. On the website’s front page, where victim names once stood, law enforcement agencies replaced the text and links with internal data obtained by hacking the hackers themselves.

 

Takedown notice that a group of global intelligence agencies issued to the LockBit ransomware group’s dark web site.

Who is LockBit?

LockBit is a ransomware group that has been active since at least 2019 and is known for its professionalism, innovation, and use of social engineering tactics to gain access to victims’ networks. As is true of ransomware in general, in its most basic form, LockBit operates by encrypting victim organizations’ data and demanding ransom payments in exchange for decryption keys. The group has, however, evolved over time, adopting the ransomware-as-a-service (RaaS) business model and secondary extortion tactics that have become common to ransomware groups in recent years and, perhaps as a function of its large number of affiliates, was, according to the Cybersecurity and Infrastructure Security Agency (CISA), the most widely-deployed ransomware variant in 2022 and remained prolific throughout 2023

The SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team has tracked LockBit extensively, from its attack on a Southeast Asian bank and a semiconductor manufacturer to its breaches of a defense contractor and a U.S. city’s housing authority

Before being seized by police, LockBit extorted multiple hacking victims at the same time through its website, which listed the group’s recently-claimed victims next to a countdown timer. Once the counter expired, hackers would publish stolen data from the victimized companies; this often included sensitive data such as medical records, emails, private customer information, and billing data.

A novel approach to combating ransomware

The decision to re-engineer the group’s website is a novel approach on the part of law enforcement. Even previous, public-facing actions such as seizures of ransom sites have been somewhat less attention-grabbing than the appropriation of some features of LockBit’s ransom site (such as its countdown clock and the use of a ransom demand-styled “$10 million challenge” in place of a traditional offer of a reward).

Though many in the cybersecurity community see this as a welcome development, the action’s long-term impact remains to be seen. Some previous law enforcement disruptions of ransomware operations (for example, the FBI’s takedown of the ALPHV group, which may have emboldened the group) have proven temporary.  

While this is not necessarily a solution to the problem of ransomware in general, it will likely cause considerable damage to LockBit’s brand; and this reputational damage may be sufficient to end the LockBit operation as it’s existed up to this point. As a result of the reputational damage to LockBit, the group’s former affiliates will likely begin working with other ransomware operations or may form new groups of their own. 

Some affiliates may pause their activity or otherwise go into hiding to avoid the current state of heightened scrutiny. However, given that this scrutiny is likely temporary, they are likely to resume their activity and link up with other operations. 

What’s next for ransomware groups

The action against LockBit may serve as something of a cautionary tale for other ransomware operations, which are likely to focus more on operational security (OPSEC) going forward. While ransomware operations are already closed groups, they may go further underground and draw clearer (and stricter) boundaries  to avoid consequences like those now facing LockBit. 

For example, the BlackMatter (now ALPHV) group’s previous OPSEC improvements included the use of private keys to access affiliate panels and of separate panels for each affiliate. By keeping affiliates’ panels separate from one another, if law enforcement (or other parties) were to compromise one affiliate, the compromise would be limited to that one affiliate’s panel. However, in LockBit’s case, these panels were centralized, so a single compromise could impact the rest of the operation.

 

Threats move fast. We move faster.