04 March 2024

In an incredible storyline worthy of the next modern action movie, on 19 February, the UK’s National Crime Agency (NCA), the FBI, and nine other country partners took down LockBit in ‘Operation Cronos.’

LockBit, in operation for four years, is/was the world’s most harmful cybercrime group. With thousands of victims globally, it has caused losses of billions of pounds in both ransom payments and recovery costs through its ransomware-as-a-service.

“LockBit stands out as the most prolific ransomware group with a brazen willingness to attack hospitals and critical infrastructure, unlike many of its competitors,” said Christian Have, CTO, Logpoint.

During Operation Cronos, the taskforce took control of LockBit’s primary administration environment, which enables affiliates to carry out attacks, as well as its public-facing leak site on the dark web, on which it hosted data stolen from victims. The NCA also obtained the LockBit platform’s source code and a ‘vast amount’ of intelligence about activities and partners.

As a result of the takedown, Europol has coordinated the arrest of two LockBit actors in Poland and Ukraine, and more than 200 cryptocurrency accounts linked to the group have been frozen. The US Department of Justice has announced that two defendants responsible for using LockBit to carry out ransomware attacks are in custody and will face trial.

“As of today, LockBit are locked out,” said National Crime Agency director general, Graeme Biggar. “We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

Despite near global celebration of this achievement, Melissa Bischoping, director, endpoint security research, Tanium, warned that “the takedown of threat actor infrastructure is always good, but often the actors are quick to regroup and bring themselves back online. The disruption may be temporary but still provides valuable intelligence, access to decryption keys that can be provided to victims, and a temporary shakeup that may result in a group fracturing into multiple new groups or branching out on their own from the parent.”

Quickly proven correct, just a few days later, LockBit launched a new leak site claiming to have restored infrastructure and inviting affiliates to re-join. The group’s leader, ‘LockBitSupp,’ confirmed that while a PHP flaw had enabled the seizure of vulnerable sites, it did not impact on those not running the scripting language. LockBitSupp also asserted that the takedown has motivated them to improve protections, including decentralising the operation further. Notably, the leader confirmed upcoming operations would target government infrastructures, and has reportedly begun countdown timers for six victims on the new site, including one for the FBI.

While no longer the seemingly untouchable threat it once was, Have reported that the takedown disruption “can change the threat landscape by increasing fragmentation and decentralisation further. This emphasises the need for security teams to move beyond traditional methods of identifying security breaches based on known Indicators Of Compromise (IOCs). Instead, adopting an approach focused on detecting Tactics, Techniques and Procedures (TTPs) is more sustainable, because it takes the threat actor’s dynamic methods and emerging threats into account.”