Source: Axel Jass via Alamy Stock Photo
The LockBit ransomware-as-a-service (RaaS) operation has re-launched its leak site, just one week after a coordinated takedown operation from global law enforcement.
On Feb. 19, the "Operation Cronos Taskforce" — which includes the FBI, Europol, and the UK's National Crime Agency (NCA), among other agencies — carried out a massive action. According to Britain's National Crime Agency (NCA), the taskforce took down infrastructure spread across three countries, including dozens of servers. It seized code and other valuable intelligence, troves of data stolen from its victims, and more than 1,000 associated decryption keys. It vandalized the group's leak site, and its affiliate portal, froze more than 200 cryptocurrency accounts, arrested a Polish and a Ukrainian national, and indicted two Russian nationals.
A spokesperson for the NCA summed it up on Feb. 26, telling Reuters that the group "remains completely compromised."
The person added, however, that "our work to target and disrupt them continues."
Indeed, Operation Cronos may not have been as comprehensive as it at first seemed. Though law enforcement was able to damage LockBit's primary infrastructure, its leader admitted in a letter, its backup systems remained untouched, enabling the operation to bounce back quickly.
The message left on LockBit's affiliate portal; Source: vx-underground via X (formerly Twitter)
"At the end of the day, it's a significant blow by law enforcement against them," says former FBI special agent Michael McPherson, now senior vice president of technical operations at ReliaQuest. "I don't think anybody is naïve enough to say that it's the nail in the coffin for this group, but this is a body blow."
LockBit's Side of the Story
One would be well-advised to greet the leader of LockBit with skepticism. "Like a lot of these guys in the ransomware space, he's got quite an ego, he's a little bit volatile. And he has been known to tell some pretty tall tales when it suits his objective," says Kurtis Minder, a ransomware negotiator, and co-founder and CEO of GroupSense.
In his letter, however, the person or persons Minder refers to as "Alex" strikes a notably humble tone.
"Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time," the ransomware ringleader wrote, citing the critical, 9.8 out of 10 CVSS-rated PHP bug CVE-2023-3824 "as a result of which access was gained to the two main servers where this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure."
Crucially, he added, "All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies." Indeed, thanks to this redundancy, LockBit's leak site was back up and running after a week, featuring a dozen victims: a lending platform, a national network of dentistry labs, and, most notably, Fulton County, Georgia, where former president Trump is currently involved in a legal battle.
Source: Bitdefender
Does Law Enforcement Action Have an Impact?
For years now, US and EU law enforcement have made headlines with high-profile raids of major ransomware operations: Hive, AlphV/BlackCat, Ragnar Locker, and so on. That in spite of these efforts ransomware continues to rise may inspire apathy in some.
But in the aftermath of such raids, McPherson explains, "Either these groups have not reconstituted, or they recovered in a smaller way. Like, Hive hasn't been able to come back yet — there was interest in it, but it really didn't materialize."
Even if law enforcement didn't totally wipe out LockBit, it still likely caused the hackers great harm. For example, Minder points out, "they apparently got access to some of the affiliates' information," which affords authorities significant leverage.
"If I'm an affiliate, or I'm another ransomware developer, I might think twice about interacting with these people just in case they've turned FBI informant. So it's creating some distrust. And then on the flip side, I think they're doing the same to LockBit by saying: 'Hey, we actually know who all the affiliates are, we got all their contact information.' So now LockBit is going to be suspicious of its own affiliates. It's a little bit of chaos. It's interesting."
To really solve ransomware in the longer-term, though, governments may need to supplement flashy takedowns with effective policies and programs.
"There has to be a balanced program, maybe at the federal government level, that actually helps with prevention, in response, in repair. I think if we saw how much capital was actually leaving the US economy as a result of these kinds of activities, we'd see that it would make sense to subsidize a program like that, that would keep people from having to pay ransoms," he says.