Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of the Ransomware service provider LockBit.  The operation named ‘Cronos’ was not to simply take the operation off-line but to disrupt its operations and business model.   Nevertheless two LockBit ‘actors’ were arrested and over 200 cryptocurrency accounts linked to the group were frozen.  28 servers used by LockBit were taken down, source code seized and decryption software made public.

Considerable effort in time and computer expertise went into infiltrating the LockBit operation with systems and accounts compromised well before the final unveiling of the operation.  For a short time after the completion of Cronos the LockBit ‘official’ website was used by the NCA to display details of the takedown in a style mimicking that used by LockBit itself; counting down to details on data exposured instead of deadlines for ransomware payments.  That site has since been taken off-line but details of the operation together with perceived reactions from the hackers themselves have been published by Trend Micro.

It is interesting that a rambling rebuttal from an alleged LockBit source blames the data breach on a PHP vulnerability that had not been promptly patched.  A clear lesson that software management always makes sense whatever your area of business.  There is a culture of brand reliability and ‘trust’ within the hacker community.  The fact that their operation could be infiltrated and it lost control of core operations makes it harder for the same individuals to start up again with the same software and services.

LockBit is a Ransomware as a Service (RaaS) business.  At the time of exposure by Cronos at least 192 victim accounts were listed.  193 affiliate accounts were also revealed.  These were the criminals responsible for LockBit attacks with the software creators themselves taking 20% of the ransom.  In both cases these numbers could include test accounts or be considerably larger if report paging or filtering had removed some records.  Obviously the affiliate account names were pseudonyms but in some cases these were similar enough to those of real hackers to provide a clue as to their actual identity.  Chat logs showed the hackers negotiating with victims for payment of all or part of their ransom demands.  Some of the data recovered was from previous victims indicating that if there had been a promise to delete stolen data it was not kept.  Other threats involved releasing stolen data onto public Internet sites.

The Bleeping Computer ‘Week in Ransomware’ reports indicate that the total of Ransomware attacks have dropped off since the LockBit disruption but other operations are moving up to fill the void.   April 2024 victims included Change HealthCare, Omni Hotels, chipmaker Nexpira and Octapharma Plasma.  These are big ticket operations who could afford to pay large ransoms that would still be less than any potential losses from compromised data, reductions in income or fines from regulatory bodies.

Anyone suspecting that they are a victim of ransomware should immediately contact their local police.  Commercial organisations provide decryption services but an initial port of call would be the free ‘No More Ransom’ project.