Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit
The most prolific ransomware group in recent years was on the decline at the time of its takedown, security researchers say.
February 22, 2024
For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UK's National Crime Agency (NCA) shut it down this week.
Security vendor reports that have surfaced following the takedown paint a picture of a once innovative and aggressive ransomware-as-a-service (RaaS) group recently struggling with dissent among members and affiliates, and the perception it was a snitch by some within the criminal community.
Irreparable Damage?
Many perceive the law enforcement operation as likely having caused irreparable damage to the criminal outfit's ability to continue with ransomware activities, at least in its current form and under the LockBit brand. Though it's likely that the dozens of independent affiliates that distributed and deployed LockBit on victim systems will continue operations using other RaaS providers, their ability to continue with LockBit itself appears unviable for the moment.
"It's likely too early to say," says Jon Clay, vice president of threat intelligence at Trend Micro, which collaborated with the NCA to analyze a new developmental version of LockBit and release indicators of compromise for it. "But due to the exposure and all the information shared, like [LockBit's] decryption tools, seized cryptocurrency accounts, and infrastructure takedown, the group and their affiliates are probably hindered from operating effectively."
The NCA's cyber division in collaboration with the FBI, the US Department of Justice, and law enforcement agencies from other countries earlier this week disclosed they had severely disrupted LockBit's infrastructure and operations under the aegis of a months-long effort dubbed "Operation Cronos."
The international effort resulted in law enforcement taking control of LockBit's primary administrative servers that allowed affiliates to carry out attacks; the group's primary leak site; LockBit's source code; and valuable information on affiliates and their victims. Over a 12-hour period, members of the Operation Cronos taskforce seized 28 servers across three countries that LockBit affiliates used in their attacks. They also took down three servers that hosted a custom LockBit data exfiltration tool called StealBit; recovered over 1,000 decryption keys that could potentially help victims recover LockBit-encrypted data; and froze some 200 LockBit-connected cryptocurrency accounts.
The initial break appears to have resulted from an op-sec failure on LockBit's part — an unpatched PHP vulnerability (CVE-2023-3824) that allowed law enforcement a foothold on LockBit's environment.
$15 Million Reward
The US DoJ on the same day also unsealed an indictment that charged two Russian nationals — Ivan Kondratyev, aka Bassterlord, one of the most prominent of LockBit's many affiliates, and Artur Sungatov — for ransomware attacks on victims across the US. The department also disclosed that it presently has in custody two other individuals, Mikhail Vasiliev and Ruslan Astamirov, on charges connected to their participation in LockBit. With the new indictment, the US government says it has so far charged five prominent LockBit members for their role in the crime syndicate's operation.
On Feb. 21, the US State Department amped up pressure against LockBit members by announcing rewards totaling $15 million for information leading to the arrest and conviction of key members and leaders of the group. The Department of Treasury joined the fray by imposing sanctions on Kondratyev and Sungatov, meaning that any future payments that US victims of LockBit make to LockBit would be strictly illegal.
In executing the takedown, law enforcement left somewhat mocking messages for affiliates and others related to LockBit on sites they had seized during the operation. Some security experts viewed the trolling as a deliberate attempt by Operation Cronos to shake the confidence of other ransomware actors.
One of the reasons is to "send a warning message to other operators that LEA can and will target your group for similar actions," says Yelisey Bohuslavskiy, chief research officer at threat intelligence firm RedSense. "It is likely that many groups are currently assessing their operational security to determine if they have already been breached and may have to figure out how to better secure their operations and infrastructure."
Together, the actions represented a well-earned success for law enforcement against a group that over the last four years has caused billions of dollars in damages and extracted a staggering $120 million from victim organizations around the world. The operation follows a string of similar successes over the past year, including takedowns of ALPHV/BlackCat, Hive, Ragnar Locker, and Qakbot, a widely used ransomware dropper.
A Challenge to Rebuild
While other groups have rebounded following similar takedowns, LockBit itself might have a bigger challenge getting restarted. In a blog following news of the takedown, Trend Micro described the group as one that has recently struggled to stay afloat because of numerous problems. These include the theft and subsequent leak of the builder for LockBit by a disgruntled member in September 2022 that allowed other threat actors to deploy ransomware based on LockBit code. A string of patently false claims about new victims and made-up leaked data on LockBit's leak site starting last April also have raised questions about the group's victim count, and its increasingly frantic efforts to attack new affiliates has had an "air of desperation" around it, Trend Micro said. LockBit's reputation as a trusted RaaS player among cybercriminals also has taken a hit following rumors of its refusal to pay affiliates as promised, the security vendor said.
Recently, LockBit's administrative team has come under significant pressure from a reliability and reputation standpoint following a ransomware attack on Russian company AN Security in January involving LockBit ransomware, says Aamil Karimi, threat intelligence leader at Optiv.
"Attacks against CIS countries is strictly prohibited across most RaaS operations," Karimi says. "They were facing fines and banishment from underground forums as a result of the attack on AN Security." What has added to the drama around the incident are rumors about a rival group carrying out the attack deliberately to create problems for LockBit, he notes.
An FSB Snitch?
Because of this, there was plenty of opportunity for rival groups to take over the space occupied by LockBit. "There was no remorse shown by rival groups" following news of LockBit's takedown, he says. "LockBit was the most prolific of the groups, but as far as respect and reputation, I don't think there was any love lost."
Bohuslavskiy of RedSense says suspicions about a LockBit administrator likely being replaced by agents for Russia's foreign intelligence service (FSB) has not helped the group's image either. He says the origins of these suspicions go back to 2021, when Russia's government appeared to take a series of actions against ransomware operators such as REvil and Avaddon. It was around that time that LockBit's admin suddenly went quiet, Bohuslavskiy says.
"This was mostly spotted by the [initial access brokers] who worked directly with [the administrator]," he notes. "By August, the admin reappeared, and this is when the IABs began to say that the person was changed and substituted by a FSB operative."
RedSense this week published a blog summarizing the findings from a three-year investigation of LockBit, based on conversations with members of the operation.
About the Author
You May Also Like