By most accounts, LockBit was the most active ransomware group in the world, amassing over 2,000 victims around the globally and netting more than $120 million in ransom payments.
But that was before an international team of law enforcement seized control of servers used by LockBit administrators, taking control of numerous public-facing websites used by LockBit to connect to the organization’s infrastructure.
This disrupted the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data.
The U.S. Department of Justice and FBI joined the United Kingdom National Crime Agency’s (NCA) Cyber Division to this week in announcing federal charges against the intrepid ransomware group.
The Justice Department also unsealed indictments in New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev -- also known as Bassterlord -- with deploying LockBit against numerous U.S. and worldwide businesses.
Search warrants in that case identified servers used by LockBit administrators to host the so-called “StealBit” platform, a criminal tool used by LockBit members to organize and transfer victim data.
Additional criminal charges against Kondratyev were unsealed in California related to his deployment in 2020 of ransomware against a victim there.
U.S. Attorney General Merrick Garland said investigators not only disrupted the group, but obtained keys from seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.
“LockBit is not the first ransomware variant the Justice Department and its international partners have dismantled. It will not be the last,” Garland promised.
The feds also said the NCA, in cooperation with the FBI and international law enforcement, developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant.
Victims targeted by this malware are encouraged to contact the FBI at https://lockbitvictims.ic3.gov/ to enable law enforcement to determine whether affected systems can be successfully decrypted.
The Beat Goes On
Reaction to the takedown this week seemed positive, but it likely won’t affect ransomware activities in the long term, “because there are simply too many strains, groups and affiliate programs that are likely unrelated to LockBit,” says Aamil Karimi, a threat intelligence leader at Optiv.
“Affiliates may likely take more security precautions in the short term, and developers and administrators will take steps to tighten up their risk and asset management postures -- just like any organization following the news of a significant breach of an industry peer.”
He notes that in 2017 and 2019 there were takedowns and seizures of several high-profile Dark Web marketplaces, and while several pundits and researcher opinions predicted the demise of the Dark Web ecosystem, users simply migrated to other platforms and continue to operate.
“Ransomware attacks will continue over the next 12 months as the sheer number of affiliates with their various, and often overlapping, tooling and procedures prevent a complete and centralized takedown and disruption of all ransomware activity,” Karimi says.
As for this week’s disruption, Karimi says LockBit’s site was reportedly compromised via an unpatched PHP vulnerability, CVE-2023-3824.
“Threat actors usually fail due to poor OPSEC. This incident shows threat actors aren’t invincible from the same security and risk failures or oversights that plague other organizations when it comes to timely patching and asset management,” he says.
The take down of LockBit's sites is more substantial than what was done recently to Alphv, in that complete databases and identities of developers, administrators and affiliates were exposed, he says. “Lockbit administrators were allegedly interviewed during the aftermath of the takedown and expressed defiance in law enforcement being able to prove their identities.”
Attack Pace Slows
Ransomware isn’t going away, but trends have recently appeared to slow. In a report released Tuesday analyzing activity in January, NCC Group said 2024 is the most active January for ransomware attacks in three years -- up 73% from the same month in 2023, and up 138% from January 2022. But attacks decreased 27% from December.
At the time, Lockbit remained the most active threat actor, accounting for nearly a quarter (22%) of all cases – but that’s down 22% over December.
Europe saw a 34% decrease in attacks between December and January, and the technology sector saw a 40% decrease in ransomware attacks from December through January. Healthcare saw a decrease of 47% during the same period.
Malwarebytes, a global leader in real-time cyber protection, released its 2024 ThreatDown State of Malware report earlier this month, revealing the U.S. accounted for almost half of all ransomware attacks in 2023.
The annual cybersecurity analysis looks at the most prominent attacks and cybercrime tactics across popular operating systems and how IT teams — particularly those that are resource-constrained — can address them.
"Small and medium-sized organizations face a deluge of cyber threats daily including ransomware, malware and phishing attacks. This new data spotlights the pervasive cat-and-mouse game between cybercriminals and the security and IT teams on the front lines," said Mark Stockley, Cybersecurity Evangelist, Malwarebytes ThreatDown Labs.
"The threat landscape is constantly evolving especially with the explosion of AI and new adversaries with fresh strategies and tactics, but if organizations follow our guidance and become equipped to handle these top threats, they are off to a good start in 2024."
Alongside the rise of ransomware attacks in 2023 (68%), the average ransom demand also climbed significantly. The LockBit gang was responsible for the largest known demand, $80 million, following an attack on Royal Mail.
Ransomware groups also evolved their tactics, getting scrappier and more sophisticated to target a higher volume of targets at the same time, Malwarebytes notes. For example, the CL0P ransomware gang broke established norms with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits.
The repeated use of zero-days also signaled a new level of sophistication making CL0P the second most active "big game" ransomware group of 2023, outpacing rivals that were active in every month of the year compared to just a few weeks of activity from CL0P, Stockley say.
Shoring Up Defenses
Maurice Uenuma, cybersecurity expert and Vice President of Blancco, believes LockBit’s takedown will disrupt other ransomware organizations “by proxy” as groups scramble to avoid being the next target.
“Raising the stakes for cyber criminals in this manner is essential work,” Uenuma says adding that the reverse engineering of malware allows law enforcement to go beyond the traditional capturing, deterring and punishing of the attackers themselves to “provide meaningful mitigation services to victims.”
He adds that the LockBit takedown may temporarily slow attacks, which gives organizations the opportunity to shore up their defenses by implementing prioritized best practices, such as the CIS Critical Security Controls or “CIS 18”.
“They should also take a close look at their data lifecycle management, making sure they erase data that’s no longer necessary, including redundant, obsolete and trivial (ROT) data, to reduce the overall data attack surface.
“As it pertains to ransomware, organizations should ensure that critical data is routinely backed up in a separate, protected environment, so that compromise of the primary data set does not result in a critical impact to operations. And they should find ways to implement zero trust architecture wherever possible to make lateral movement much more difficult.”