Afiq Sam - stock.adobe.com
LockBit bids to save face after NCA takedown
The LockBit gang’s ringleader resurfaces with new infrastructure and new victims, claiming to have shrugged off a multinational police sting
A week after being knocked offline in a combined multinational law enforcement operation led by the UK’s National Crime Agency, the main operator, or someone claiming to be the main operator, of LockBit has reemerged, taunting law enforcement agencies and setting up fresh infrastructure and a new leak site that already contains details of five alleged victims.
LockBit was laid low on 19 February in Operation Cronos, a sting that targeted the prolific gang’s server infrastructure, took control of data including source code, decryption tools and victim data, seized and froze crypto assets, and resulted in two arrests in Poland and Ukraine.
However, in a lengthy message, signed off as LockBit, the gang’s supposed ringleader rejected the bulk of the claims made by the agencies that participated in Operation Cronos, although they confirmed that the NCA and its partners – which they refer to throughout as the FBI – accessed their server infrastructure via an unpatched PHP vulnerability.
LockBit claimed that they started to notice problems early in the morning of 19 February, but that after restarting PHP things went back to normal. “I didn’t pay much attention to it, because for 5 years [sic] of swimming in money I became very lazy,” they wrote.
LockBit went on to taunt the police, suggesting that the NCA and FBI hackers who targeted it might make more money working in the world of ransomware, and countered many of the claims made in the wake of the takedown, including disputing the identities of some of those arrested, who in LockBit’s version of the narrative were little more than low-level money launderers.
They also rejected outright the scale of the breach they suffered, claiming that the authorities are not actually in possession of the full codebase of its locker, among other things.
The message further speculates that the takedown was prompted by a recent LockBit attack on the IT systems of Fulton County in Georgia – Atlanta – from which it stole information on legal cases against former president Donald Trump that LockBit believes could throw the result of the 2024 US presidential election.
LockBit added: “Personally, I will vote for Trump.” Although given they are almost certainly not a US citizen, this would seem unlikely.
“All FBI actions are aimed at destroying the reputation of my affiliate programme, my demoralisation, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped,” they said.
“I am very pleased that the FBI has cheered me up, energised me and made me get away from entertainment and spending money.”
Unreliable narrator
It is important to remember that as a cyber criminal ransomware operator, LockBit’s message will not have been motivated by a desire to set the record straight in any factual sense of the term. Given LockBit was already in decline as an operation, even though it continued to conduct damaging cyber attacks, the messaging around its reemergence should in fact be read in this context.
“The purpose of the message is not to communicate fact, but to engage in PR and reputational damage control for the LockBit brand as a show of strength,” said WithSecure senior threat analyst Stephen Robinson.
“This was an extremely comprehensive takedown which targeted the assets which are the true strength of Ransomware-as-a-Service [RaaS] brands such as LockBit – the brand itself and the affiliates who carry out operations and the group’s financial assets.
“The cyber events were coordinated with high-profile real-world law enforcement agency (LEA) operations to arrest LockBit associated individuals. The seized site was used by LEAs to send a warning message directly to affiliates. The LockBit leak site and brand was used by LEAs to thoroughly mock and denigrate LockBit and their affiliates, and LEAs have stated that they seized 200 plus cryptocurrency wallets, and 1,000 plus decryption keys,” he added.
An expected development
Semperis vice-president for the UK and Ireland, Dan Lattimer, said he was entirely unsurprised that LockBit had quickly resurfaced.
“This cyber crime group has stolen more than $100m in ransom payments in the last year alone; they weren’t going to go quietly in the wind after being embarrassed by a contingent of global law enforcement agencies,” he said.
“Overall, the fight between defenders and adversaries is a round-the-clock battle and it was only a matter of time before the group resurfaced in its entirety or its members joined other ransomware groups.
“I was cautioning Semperis’ customers and partners last week not to lose sight of the fact that LockBit would resurface and to always have an assumed breach mindset. You can never let your guard down against threat actors and building operational resiliency, including a backup and recovery plan is vital to protecting critical assets of your employees, customers and partners,” said Lattimer.
Rubrik EMEA CISO Richard Cassidy added: “One has to question if the financial resources of groups such as Lockbit, are somewhat broader in scope, than the law enforcement teams tasked with their disruption. Lockbit are extremely well funded through the success of their operations, having amassed circa $91m from US organisations alone, therefore they have the economic power to regroup and develop new tactics, techniques, and procedures, learning and adapting from the errors that led to their disruption, thus reinventing their approach, as necessary.
“This cyclic nature of law enforcement disruption and the resurgence of these ransomware groups points to a broader issue within the cybercrime ecosystem. The issue fundamentally is the drivers behind ransomware attacks, such as financial incentives, the relative anonymity of cryptocurrency transactions, and the ad-infinitum discovery of vulnerabilities that remain unaddressed.
“Until then we can expect the rinse-repeat cycle of disruption and resurgence to continue for the foreseeable future,” said Cassidy.
Read more about the LockBit takedown
- 19 February 2024: The notorious LockBit ransomware crew has been disrupted in an international law enforcement sting led by the UK’s National Crime Agency.
- 20 February: The UK’s National Crime Agency and its global partners have shared more details on their audacious takedown of the LockBit ransomware operation, including news of two arrests.
- 20 February: Reaction to the takedown of the LockBit ransomware gang is enthusiastic, but tempered with the knowledge that cyber criminals are often remarkably resilient.
- 22 February: The LockBit ransomware gang was already on the ropes prior to the NCA-led takedown, according to security researchers.
- 23 February: The NCA has teased details of the identity of LockBit's main admin via the gang’s compromised dark web site, and hinted that he has been engaging with law enforcement.