When the attacker gets attacked: The LockBit story

Cybercrime + Ransomware White Hat todayFebruary 26, 2024 144

Background
share close

I’m sure that at some point, you’ve heard or read an article about this group. We had planned to write about one of the most notorious ransomware groups next month. However, due to recent events, now is the perfect time to write that article.

Who are they?

The LockBit group – initially known as “ABCD” ransomware – emerged in September 2019. They began operating as a ransomware-as-a-service (RaaS) scheme and caused enormous harm and cost. They were responsible for thousands of ransomware attacks on victims around the world, from high-profile corporate targets to hospitals and schools.

In addition to targeting many hospitals and schools, they were also responsible for the November 2023 ransomware attack against the Industrial and Commercial Bank of China’s (ICBC) U.S. broker-dealer. In terms of attack attempts, the United States, India, and Brazil were the top targeted countries.

Now, the happy part of LockBit story

On February 19, 2024, the National Crime Agency, in collaboration with Europol and other international law enforcement agencies, seized control of their darknet websites and servers, and arrested two members within a well-organized joint operation known as “Operation Cronos”.

Lockbit_01

Lockbit_02

 

According to Europol’s press release[1], the agencies were also able to freeze 200 cryptocurrency accounts linked to the group. As part of this operation, they’ve seized one of the group’s portals, known as the ‘LockBit panel’, which was used by the affiliates. Now, when an affiliate tries to log in, they are welcomed with this message:

Lockbit_04
image from vx-underground https://t.co/CYSkML7aVv

Later, law enforcement updated the seized website and posted a message, stating that they have obtained details about ‘LockBitSupp’ (the leader of the organization), who has also engaged with law enforcement.

Lockbit_05
image from vx-underground https://t.co/gBFe9rQAnw

Does that mean they are gone?

Sadly, the answer is no.

After a mere four days, they are back up and running. In response, LockBit has increased the bounty on their heads to $20 million. ‘LockBitSupp’ has published a lengthy response directed at the FBI. In this statement, they declared not only their return but also a renewed motivation:

I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete. With competitors who will make more money and attack more companies, and with the FBI whether they can catch me or not, and I’m sure they can’t, looking at the way they work.

 

Lockbit_06

 

Of course, they also wanted to make sure that their affiliates trust them, so they said:

Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment. And after introducing maximum protection on every build of locker, there will be no chance of free decryption even for 2.5% of attacked companies.

Why is it very important?

So, the U.K.’s National Crime Agency (NCA) managed to get their hands on LockBit’s source code, over a thousand decryption keys, and a ton of info on the gang from their hacked systems. This means they’ve released a ‘decryptor tool’, which is very helpful for the victims. It can be downloaded (along with several other decryptors) from Europol’s web2site: https://www.nomoreransom.org/

This doesn’t mean that you or your company is safe against these attacks, and as we said in our last post:

  • Staying informed and taking proactive measures are our best defense against these digital threats.
  • Allocating resources towards the enhancement of the company’s security measures and maintaining a robust defense system is a more cost-effective strategy than dealing with the financial implications of a ransom payment.

If you experience an incident, don’t hesitate to call us; our expert Incident Response team is ready to assist you. However, if you wish to be proactive and safeguard against these digital threats, our SOC team is eager to help keep your data secure.

 

[1] Law enforcement disrupt world’s biggest ransomware operation | Europol (europa.eu)

Written by: White Hat

Rate it
Previous post

Similar posts