www.darkreading.com Open in urlscan Pro
2606:4700::6812:6b2f  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia Cybersecurity

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global

 * Middle East & Africa

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Reports
 * Videos
 * Webinars
 * Whitepapers

 * 
 * 
 * 
 * 
 * Partner Perspectives:
 * > Microsoft

SEE ALL


Sponsored By

 * Cyberattacks & Data Breaches
 * Vulnerabilities & Threats
 * Insider Threats


HUBRIS MAY HAVE CONTRIBUTED TO DOWNFALL OF RANSOMWARE KINGPIN LOCKBIT

The most prolific ransomware group in recent years was on the decline at the
time of its takedown, security researchers say.

Jai Vijayan, Contributing Writer

February 23, 2024

6 Min Read
Source: Steve Heap via Shutterstock


For all its vaunted success, the LockBit ransomware operation appears to have
already been beset by problems when an international law enforcement effort led
by the UK's National Crime Agency (NCA) shut it down this week.

Security vendor reports that have surfaced following the takedown paint a
picture of a once innovative and aggressive ransomware-as-a-service (RaaS) group
recently struggling with dissent among members and affiliates, and the
perception it was a snitch by some within the criminal community.




IRREPARABLE DAMAGE?

Many perceive the law enforcement operation as likely having caused irreparable
damage to the criminal outfit's ability to continue with ransomware activities,
at least in its current form and under the LockBit brand. Though it's likely
that the dozens of independent affiliates that distributed and deployed LockBit
on victim systems will continue operations using other RaaS providers, their
ability to continue with LockBit itself appears unviable for the moment.

"It's likely too early to say," says Jon Clay, vice president of threat
intelligence at Trend Micro, which collaborated with the NCA to analyze a new
developmental version of LockBit and release indicators of compromise for it.
"But due to the exposure and all the information shared, like [LockBit's]
decryption tools, seized cryptocurrency accounts, and infrastructure takedown,
the group and their affiliates are probably hindered from operating
effectively."



The NCA's cyber division in collaboration with the FBI, the US Department of
Justice, and law enforcement agencies from other countries earlier this week
disclosed they had severely disrupted LockBit's infrastructure and operations
under the aegis of a months-long effort dubbed "Operation Cronos."



The international effort resulted in law enforcement taking control of LockBit's
primary administrative servers that allowed affiliates to carry out attacks; the
group's primary leak site; LockBit's source code; and valuable information on
affiliates and their victims. Over a 12-hour period, members of the Operation
Cronos taskforce seized 28 servers across three countries that LockBit
affiliates used in their attacks. They also took down three servers that hosted
a custom LockBit data exfiltration tool called StealBit; recovered over 1,000
decryption keys that could potentially help victims recover LockBit-encrypted
data; and froze some 200 LockBit-connected cryptocurrency accounts.

The initial break appears to have resulted from an op-sec failure on LockBit's
part — an unpatched PHP vulnerability (CVE-2023-3824) that allowed law
enforcement a foothold on LockBit's environment.




$15 MILLION REWARD

The US DoJ on the same day also unsealed an indictment that charged two Russian
nationals — Ivan Kondratyev, aka Bassterlord, one of the most prominent of
LockBit's many affiliates, and Artur Sungatov — for ransomware attacks on
victims across the US. The department also disclosed that it presently has in
custody two other individuals, Mikhail Vasiliev and Ruslan Astamirov, on charges
connected to their participation in LockBit. With the new indictment, the US
government says it has so far charged five prominent LockBit members for their
role in the crime syndicate's operation.

On Feb. 21, the US State Department amped up pressure against LockBit members by
announcing rewards totaling $15 million for information leading to the arrest
and conviction of key members and leaders of the group. The Department of
Treasury joined the fray by imposing sanctions on Kondratyev and Sungatov,
meaning that any future payments that US victims of LockBit make to LockBit
would be strictly illegal.



In executing the takedown, law enforcement left somewhat mocking messages for
affiliates and others related to LockBit on sites they had seized during the
operation. Some security experts viewed the trolling as a deliberate attempt by
Operation Cronos to shake the confidence of other ransomware actors.

One of the reasons is to "send a warning message to other operators that LEA can
and will target your group for similar actions," says Yelisey Bohuslavskiy,
chief research officer at threat intelligence firm RedSense. "It is likely that
many groups are currently assessing their operational security to determine if
they have already been breached and may have to figure out how to better secure
their operations and infrastructure."

Together, the actions represented a well-earned success for law enforcement
against a group that over the last four years has caused billions of dollars in
damages and extracted a staggering $120 million from victim organizations around
the world. The operation follows a string of similar successes over the past
year, including takedowns of ALPHV/BlackCat, Hive, Ragnar Locker, and Qakbot, a
widely used ransomware dropper.


A CHALLENGE TO REBUILD

While other groups have rebounded following similar takedowns, LockBit itself
might have a bigger challenge getting restarted. In a blog following news of the
takedown, Trend Micro described the group as one that has recently struggled to
stay afloat because of numerous problems. These include the theft and subsequent
leak of the builder for LockBit by a disgruntled member in September 2022 that
allowed other threat actors to deploy ransomware based on LockBit code. A string
of patently false claims about new victims and made-up leaked data on LockBit's
leak site starting last April also have raised questions about the group's
victim count, and its increasingly frantic efforts to attack new affiliates has
had an "air of desperation" around it, Trend Micro said. LockBit's reputation as
a trusted RaaS player among cybercriminals also has taken a hit following rumors
of its refusal to pay affiliates as promised, the security vendor said.



Recently, LockBit's administrative team has come under significant pressure from
a reliability and reputation standpoint following a ransomware attack on Russian
company AN Security in January involving LockBit ransomware, says Aamil Karimi,
threat intelligence leader at Optiv.

"Attacks against CIS countries is strictly prohibited across most RaaS
operations," Karimi says. "They were facing fines and banishment from
underground forums as a result of the attack on AN Security." What has added to
the drama around the incident are rumors about a rival group carrying out the
attack deliberately to create problems for LockBit, he notes.


AN FSB SNITCH?

Because of this, there was plenty of opportunity for rival groups to take over
the space occupied by LockBit. "There was no remorse shown by rival groups"
following news of LockBit's takedown, he says. "LockBit was the most prolific of
the groups, but as far as respect and reputation, I don't think there was any
love lost."

Bohuslavskiy of RedSense says suspicions about a LockBit administrator likely
being replaced by agents for Russia's foreign intelligence service (FSB) has not
helped the group's image either. He says the origins of these suspicions go back
to 2021, when Russia's government appeared to take a series of actions against
ransomware operators such as REvil and Avaddon. It was around that time that
LockBit's admin suddenly went quiet, Bohuslavskiy says.

"This was mostly spotted by the [initial access brokers] who worked directly
with [the administrator]," he notes. "By August, the admin reappeared, and this
is when the IABs began to say that the person was changed and substituted by a
FSB operative."

RedSense this week published a blog summarizing the findings from a three-year
investigation of LockBit, based on conversations with members of the operation.





ABOUT THE AUTHOR(S)

Jai Vijayan, Contributing Writer



Jai Vijayan is a seasoned technology reporter with over 20 years of experience
in IT trade journalism. He was most recently a Senior Editor at Computerworld,
where he covered information security and data privacy issues for the
publication. Over the course of his 20-year career at Computerworld, Jai also
covered a variety of other technology topics, including big data, Hadoop,
Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai
covered technology issues for The Economic Times in Bangalore, India. Jai has a
Master's degree in Statistics and lives in Naperville, Ill.

See more from Jai Vijayan, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Cyberattacks & Data Breaches

Fake Browser Updates Targeting Mac Systems With Infostealer
Cyberattacks & Data Breaches

Inside Job: Cyber Exec Admits to Hospital Hacks
Cyberattacks & Data Breaches

Iran APT Targets the Mediterranean With Watering-Hole Attacks
Cyberattacks & Data Breaches

Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised
More Insights
Webinars

 * Your Everywhere Security guide: Four steps to stop cyberattacks
   
   Feb 27, 2024

 * Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
   
   Feb 27, 2024

 * API Security: Protecting Your Application's Attack Surface
   
   Feb 29, 2024

 * API Security: Protecting Your Application's Attack Surface
   
   Feb 29, 2024

 * Securing the Software Development Life Cycle from Start to Finish
   
   Mar 06, 2024

More Webinars
Events

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   Mar 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   Apr 16, 2024

 * Black Hat Spring Trainings - March 12-15 - Learn More
   
   Mar 12, 2024

More Events



EDITOR'S CHOICE

Access server
Сloud Security
'KeyTrap' DNS Bug Threatens Widespread Internet Outages'KeyTrap' DNS Bug
Threatens Widespread Internet Outages
byBecky Bracken, Editor, Dark Reading
Feb 20, 2024
3 Min Read

A digital, blue cloud with binary code floating out of it
Сloud Security
Misconfigured Custom Salesforce Apps Expose Corporate DataMisconfigured Custom
Salesforce Apps Expose Corporate Data
byRobert Lemos, Contributing Writer
Feb 20, 2024
5 Min Read
Container ship on body of water, leaning to one side
ICS/OT Security
DoT, White House Tackle the Chinese Threat to US Port SecurityDoT, White House
Tackle Chinese Threat to US Port Security
byNate Nelson, Contributing Writer
Feb 21, 2024
4 Min Read

Blue padlock inside a white cloud peppered with 1s and 0s against a blue
backdrop
Application Security
Critical Vulnerability in VMware vSphere Plug-in Allows Session
HijackingCritical Vulnerability in VMware vSphere Plug-in Allows Session
Hijacking
byElizabeth Montalbano, Contributing Writer
Feb 21, 2024
4 Min Read
Reports

 * Industrial Networks in the Age of Digitalization

 * Zero-Trust Adoption Driven by Data Protection

 * How Enterprises Assess Their Cyber-Risk

 * How to Deploy Zero Trust for Remote Workforce Security

 * Proven Success Factors for Endpoint Security

More Reports
White Papers

 * A Solution Guide to Operational Technology Cybersecurity

 * Demystifying Zero Trust in OT

 * Strengthen Microsoft Defender with MDR

 * The Forrester Wave: External Threat Intelligence Service Providers, Q3 2023

 * Migrations Playbook for Saving Money with Snyk + AWS

More Whitepapers
Events

 * Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
   
   Mar 21, 2024

 * Black Hat Asia - April 16-19 - Learn More
   
   Apr 16, 2024

 * Black Hat Spring Trainings - March 12-15 - Learn More
   
   Mar 12, 2024

More Events





DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use

Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. You can choose to accept all of these
cookies or only essential cookies. To learn more or manage your preferences,
click “Settings”. For further information about the data we collect from you,
please see our Privacy Policy

Accept All
Settings



COOKIE PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

Cookies Details‎

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

Cookies Details‎

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Cookies Details‎

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Cookies Details‎
Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

 * 
   
   View Cookies
   
    * Name
      cookie name

Confirm My Choices