Locking Up Lockbit: The Fall of a Ransomware Cartel

Joao Correia

February 28, 2024 - Technical Evangelist

As of the time I’m writing this, earlier this week a cybersecurity bombshell story just broke that, for once, is actually a positive turn of events. I’m talking about Operation Cronos, an international law enforcement operation that seized the Lockbit ransomware infrastructure, led to arrests of persons affiliated with the criminal organization, and resulted in the release of an official decryptor tool for Lockbit-encrypted files.

The Ransomware Scene

Ransomware is one of the most insidious types of malware, in which a malicious actor deploys – through different methods – software specifically tailored to encrypt the files stored in a target system, rendering them unusable until the victim organization or individual agrees to pay a “ransom” to restore access to those files.

Bear in mind, actually agreeing to pay the ransom does not necessarily translate to you actually getting back access to those files – no honor among thieves, as the saying goes – and flags you as a willing victim, ripe for the next extortion to happen.

On top of that, as if it wasn’t enough, ransomware operators now also employ a so-called double extortion tactic, where first you pay to regain access to your own data, and then you’re “invited” to pay to keep the data the malicious actor exfiltrated prior to encryption from being released online. Intellectual property, trade secrets, confidential agreements, and personally identifiable information all are fair targets for these less-than-scrupulous individuals and groups.

In fact, the tactics are so successful that ransomware-focused groups now operate large enterprise-like organizations, and have developed an entire economic model around Ransomware-as-a-Service, in which they provide their infrastructure and software to “affiliates” who then find and hit target organizations, giving a cut (reported to be around 30%) to the ransomware organization, who proceeds to launder the ransom payment money.

There were, until last year, three major players in the ransomware space: AlphV/Blackcat, Conti, and Lockbit. The first two were targeted by law enforcement in the second half of 2023, and, if not completely eliminated, then severely curtailed in their ability to continue to operate.

Lockbit was hit this week.

Locking Up Lockbit

The crackdown on Lockbit, dubbed Operation Cronos, marks a significant milestone in the ongoing battle against ransomware. This operation involving multiple international law enforcement agencies, including the UK’s National Crime Agency (NCA), the FBI, and coordinated across borders by Europol and Eurojust, showcases the power of international cooperation in disrupting cybercriminal enterprises.

Recent announcements from law enforcement agencies have shed light on the intricate details of Lockbit’s operations, from their cryptocurrency and money laundering practices to their advanced tradecraft and the infrastructure used to support their affiliates. These revelations provide invaluable insights into the workings of modern ransomware gangs and highlight the challenges facing cybersecurity professionals today.

A Coordinated Strike against Cybercrime

The arrests in Poland and Ukraine, along with the seizure of over 200 cryptocurrency wallets, demonstrate the effectiveness of hacking back against cybercriminals. By infiltrating the servers of the Lockbit gang, authorities were able to dismantle a significant part of the ransomware’s infrastructure, crippling its operations and providing relief to countless potential victims.

Furthermore, the collaboration between law enforcement and cybersecurity firms, such as SecureWorks and TrendMicro, has been instrumental in analyzing Lockbit’s tactics and future iterations of their ransomware. This partnership has not only facilitated the takedown but also ensured the release of a Lockbit decryptor tool, offering a lifeline to affected entities.

In fact, the release of the decryptor tool reinforces a point long argued when a ransomware incident happens: keep the encrypted data for as long as possible. Several operations in the past have uncovered the private keys used to encrypt the data and have been made available to the public. If you’re in a position to wait – that is, the encrypted data is not immediately necessary – this wait-and-see strategy is both cheaper and potentially safer when approaching this problem.

Sanctions and Cybersecurity Advisories: A Dual Approach

The United States’ decision to impose sanctions on affiliates of the Russia-based Lockbit group underscores the government’s commitment to a whole-of-government approach against cyber threats. These sanctions, coupled with detailed cybersecurity advisories, aim to protect citizens and institutions from ransomware attacks and to hold accountable those who enable these malicious activities.

Lockbit: A Case Study in Ransomware Evolution

Lockbit, known for its Ransomware-as-a-Service model and double extortion tactics, represents the evolving threat landscape of cybercrime. The group’s ability to exfiltrate and encrypt vast amounts of data before demanding ransom payments has made it one of the most prolific ransomware variants globally. For reference, the group has reportedly received over 100 million USD in the past year alone in ransom payments.

The seizure of Lockbit’s infrastructure, including servers used to host stolen data and its dark web leak sites, marks a significant victory for law enforcement. However, it also serves as a reminder of the persistent and adaptable nature of cybercriminals.

The Irony Of The Takedown

So, how exactly was Lockbit stopped? It turns out that one of their onion network-facing web servers was not patched for a known vulnerability. The same tactic employed to gain illegal access to victims’ systems was used to gain access and identify the server from which Lockbit provided “customer” support to the ransomware victims (read: where they haggled the ransom amount and threatened the victims into paying the ransom).

The website was running on top of PHP 8, and the specific version was vulnerable to CVE-2023-3824. I guess everyone is guilty of delayed patching at some point.

Moving Forward: Lessons Learned and the Path Ahead

The successful takedown of Lockbit through Operation Cronos is a testament to the importance of international collaboration and the need for a multi-faceted approach to cybersecurity. As we celebrate this victory, we must also prepare for the inevitable evolution of ransomware tactics and the emergence of new threats.

The economic drive behind ransomware ensures that the space now left open will undoubtedly be quickly fought over by new actors and groups. The fact that some of the Lockbit members remain in jurisdictions outside the reach of international law enforcement and virtually immune to the effect of sanctions, it won’t be far-fetched to imagine a situation where a new variant or a rebranded lockbit organization spins up again.

Cybersecurity professionals, organizations, and individuals alike must remain vigilant, adopting proactive defense measures and fostering cooperation to counter the ever-present threat of ransomware. The fight against cybercrime is far from over, but operations like Cronos offer hope and a blueprint for future successes in this ongoing battle.

The (very) positive side to this story is that, once again, it shows how fragile these criminal organizations really are, even when hiding behind the facade of mastermind hacker stereotypes, as they are commonly portrayed.

Summary