The UK and US have seized technical infrastructure belonging to the LockBit ransomware group as part of Operation Cronos. Among the assets seized are the primary platform and the leak site where stolen data has been hosted. The action came after cybersecurity experts were able to infiltrate LockBit’s network. It is claimed that this has compromised the entire criminal enterprise.

Graeme Biggar, Director General, National Crime Agency (Image Credit: National Crime Agency)
Graeme Biggar, Director General, National Crime Agency

According to Graeme Biggar, Director General, National Crime Agency, “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.

“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

Have we seen the end of LockBit?

The last part of that statement is interesting. It raises questions as to exactly how much is known about the individuals behind LockBit. It also seems a little premature. Previous high profile takedowns of international ransomware organisations have seen then return to business in just months. So why is the NCA so positive that this is the end of LockBit? So far, that is unclear.

LockBit has been around since 2019 and since then has undergone several revisions to its code base and affiliate programme. When it launched LockBit 3.0 in 2022, Trend Micro researchers pointed out that the source code contained code from another ransomware vendor, BlackMatter. That launch also saw Lockbit release a new bug bounty program.

Successful cybercrime groups are more resilient than many enterprises. They have backups and failover sites in case servers and infrastructure are seized. It would be a surprise if that wasn’t the case here with LockBit. It could retaliate to this move by UK and US authorities by just releasing copies of all the stolen data and causing chaos.

Similarly, it could follow the path of the Emotet Trojan malware. It has seen seizures of its critical infrastructure and the arrest of key members. However, it has always recovered and relaunched within months due to its forward planning. It will be interesting to see how long it takes before LockBit does the same.

Will this lead to a free unlock code?

Having the source code is a major boost here. It means that cyber experts can begin to work through it and share it with other cybersecurity companies. By going through the source code, researchers will hope to find a decoder that will unlock systems and data currently affected by LockBit.

The NoMoreRansom website, already contains keys to unlock a lot of ransomware. Interestingly, there is already a decryptor provided by the Police in Japan that unlocks some LockBit 3.0 instances. It relies on known decryptor keys but admits that it won’t work on all LockBit 3.0 attacks.

What we could now see is researchers uncover the algorithm that is used to create the unique keys for customer data. From that, they will be able to reverse engineer it and create a more generic unlock key. For those who have not paid, and even those who have but who didn’t get their data back, this will be eagerly awaited.

Dismantling the affiliate program

Of equal interest will be the data gained about LockBit’s affiliate program. Law enforcement agencies worldwide will be using that data to track down individuals involved in LockBit attacks. It will also allow them to identify who infected which company, who paid and how much each affiliate earned.

There will also be work done to see how many of these affiliates are connected to other cybercrime programs. That intelligence will begin to paint an interesting picture of how many attack the same victim using different ransomware or other malware. It is known that this happens but by looking closely at affiliates and what else they do, it is possible to get a more accurate view on this.

There will also be a lot of attention on following the money trail. The more experienced cybercriminals are adept at moving payments around to disguise and wash them. Less experienced ones, not so much. It means that the tracing of some monies and even the routes used to wash payments will be uncovered. What is not known is how much is likely to be recovered.

But there is a double-edged sword here for the victims. Have all those affected informed the authorities where required? How many have paid ransoms despite being in countries where it is illegal to do so? While it is unlikely that law enforcement will list companies who have been affected, there will likely be meetings at the board level as companies look to get statements ready just in case.

What does the cybersecurity industry say?

As expected, the moment the story broke, PR teams went into high gear to crank out canned statements from spokespeople. Enterprise Times has received a lot of emails already. Here are some of them.

Christian Have, CTO, Logpoint, commented, “The disruption of the two largest ransomware gangs LockBit and BlackCat, can change the threat landscape by increasing fragmentation and decentralization further. This emphasizes the need for security teams to move beyond traditional methods of identifying security breaches based on known Indicators Of Compromise (IOCs). Instead, adopting an approach focused on detecting Tactics, Techniques and Procedures (TTPs) is more sustainable, because it takes the threat actor’s dynamic methods and emerging threats into account.”

Adam Marré, CISO at Arctic Wolf, said, “The takedown of the LockBit servers and website is undoubtably a great success for law enforcement.”

He continued, “Given the dispersed nature of LockBit, it is also likely threat actors that aren’t involved in any follow-up arrests will still make use of the existing infrastructure not affected by this activity.”

A blog from Zerofox Intelligence notes, “However, the operation is unlikely to have a sustained impact on the overall threat from R&DE. Comprehensive degradation of LockBit’s infrastructure will likely result in a short cessation in activity from LockBit operatives before they resume operations—either under the LockBit name or an alternative banner. It is crucial security teams continue to monitor for LockBit indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).”

Enterprise Times: What does this mean?

The takedown of any major cybercrime organisation is something to be applauded. However, this is a game of whack-a-mole. The majority of the responses from cybersecurity vendors all point to an expectation that this is just a temporary hiatus. Most seem to believe that LockBit will return, either under its own name or as a new variant.

What everyone is waiting for now is the source code to be distributed to security companies. That will allow their researchers to start working on it. Expect to see a lot more in terms of decoders and, more importantly, TTPs to identify attacks built from fragments of the LockBit code.


Please enter your comment!
Please enter your name here