LockBit Ransomware Group Returns After Law Enforcement Operation
February 26, 2024 – Published on Security Boulevard
The LockBit ransomware group is swinging back days after U.S. and UK law enforcement agencies announced they had disrupted the operations of the prolific cybercrime gang, including seizing infrastructure and public-facing websites, grabbing decryption keys, and indicting two alleged members.
LockBit operators reportedly are back up on new infrastructure and with a new .onion address on the TOR network that lists as many as a dozen new victims listed on its leak site. At the same time, the LockBit administrator, in a lengthy message, admitted that some of the group’s servers had been hacked by the FBI but that they were still in operation and threatened to retaliate by targeted U.S. government sites.
Operation Cronos was the latest of such efforts by the U.S. Justice Department (DOJ), FBI, and international law enforcement to fight back against the growing ransomware threat by infiltrating groups’ infrastructure, seizing servers and domains, and getting or developing decryption keys to enable victims to regain control of their encrypted data. Previous initiatives targeted such groups as Hive and BlackCat, also known as ALPHV.
Drew Schmitt, a ransomware negotiator for GuidePoint Security, told SecurityBoulevard that while law enforcement efforts like Operation Cronos may not completely shut down a ransomware group like LockBit, there is an impact.
“It shows these groups that they are not untouchable,” Schmitt said. “Takedowns to the level that we are seeing with Lockbit are very impactful to groups, and although they may not completely disappear, they are definitely feeling the pressure and impacts right now.”
Dismantling such a group isn’t easy. They often use security measures that including a heavily decentralized infrastructure – the LockBit administrator noted efforts to increase decentralization – and steps to hide identities, such as using the TOR system. In addition, even if law enforcement uncovers perpetrators’ identities, the countries in which they live may not want to arrest them or stop the illegal activity, he said.
Also, the RaaS model means more affiliates within the group, so the core ransomware developers and owners have to be taken down in addition to the myriad affiliates for a ransomware operation to be dismantled with little opportunity for a splinter or rebrand to occur.
With LockBit, the FBI and other agencies put a particular emphasis on the affiliate structure and highlighting intelligence gather about affiliates, Schmitt said.
Read More HERE.