Trustwave Blog

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

Written by Ed Williams | Feb 21, 2024

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow won’t impact ransomware overall. As in the past, another group will pick up the slack, or LockBit itself will reform and get back into business.

For background, the UK National Crime Agency’s (NCA) Cyber Division, working in cooperation with the US Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement agencies seized numerous public-facing websites LockBit used to connect to the organization’s infrastructure, along with control of numerous servers used by administrators, disrupting the ability of the threat actors to attack and encrypt networks and extort victims by threatening to publish stolen data, the US Department of Justice reported.

The US Department of Justice estimated that LockBit targeted more than 2,000 victims and received more than $120 million in ransom payments while it was in operation.

The action taken required arduous pre-planning and execution and should not be overlooked. In the short term, this will go some way to stopping or reducing LockBit infections.

Over the longer term, however, I suspect it’ll be business as usual. After all, we have seen other major threat groups taken offline, only to see them pop back up. These include ALPHV/BlackCat and Hive, which were dismantled and then reborn.

Why? Because the recent law enforcement activity does not remediate the root issues that LockBit exploits. Organizations continue to ignore basic cyber hygiene and aren’t prepared not only for an attack, but for incident response and recovery.

I would imagine the concern organizations have to stop threat actors from conducting internal, lateral movement is as trivial today as it was yesterday.

What today’s news should be is a call for businesses around the globe to review their ‘three Ps:’ Passwords, Patching, and Policies! An organization will be safe from ransomware and other cyber threats only by making themselves a tough nut to crack.

Cybersecurity is a constant game of cat and mouse where innocent organizations must continue to focus on securing themselves and making themselves a “tough nut to crack.” I will give it two to three months, after which we’ll see a reincarnation of this flavor of ransomware, which I suspect will be even more sophisticated as the threat actors will have taken lessons from today and be able to cover their tracks better going forward.

 

LockBit 3.0 and the Ransomware Threat

Over the course of the last year, Trustwave’s elite SpiderLabs team has published multiple threat intelligence reports. While each report is centered on a different vertical market, there has been a common thread, ransomware is a primary threat, and LockBit is/was the most prolific group.

In the recent report on the manufacturing sector, LockBit is credited with claiming ownership of 30% of all attacks, in retail 44% and about 24% in the financial arena. The Clop ransomware group has the edge on LockBit in attacking financial actors responsible for 39% of attacks.

Just as a quick reminder on the threat. Ransomware typically encrypts or locks data and then demands the victim pay a ransom to regain access to the data. Initial access is gained through various means, such as phishing emails, exploiting vulnerabilities, or even using illegally obtained login credentials.

Modern ransomware campaigns prevent recovery by attempting to remove access to backup files and deleting Volume Shadow Copies.

More recently, ransomware groups have added an extortion component to these attacks. They will exfiltrate valuable data prior to deploying the ransomware and then publicly post proof of the attack to scare/shame the victim organization into paying the ransom. If the victim refuses to pay the ransom, the threat actor still has a dataset they can turn around and sell. This activity is commonly referred to as a double extortion tactic.

Threat actors will go to great lengths to get paid. Attackers also use extortion techniques. These are when threat actors will strategically deploy a Distributed Denial of Service (DDOS) attack as a three-layer extortion tactic.

Lastly, another piece of good news related to the takedown of LockBit is the agencies have developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted by the LockBit ransomware variant. Beginning today, victims targeted by this malware are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.