Global Law Enforcement Disrupts LockBit Ransomware Gang
Operation Cronos, a collab between authorities in the US, Canada, UK, Europe, Japan, and Australia — seizes data and website associated with the prolific cybercriminal organization and its affiliates.
Global law-enforcement authorities including the FBI have disrupted the activities of the formidable
LockBit ransomware gang
, taking control of its platform and seizing data associated with its global ransomware-as-a-service (RaaS) operation.
Information obtained by the operation — called Operation Cronos — includes source code, details of ransomware victims, stolen data, decryption keys, and the amount of money extorted by LockBit and affiliates, according to a message from authorities appearing to an affiliate logged onto the LockBit control panel. The news first broke Feb. 19 when a screenshot of that message
was posted
on the X (formerly Twitter) account of Vx-Underground, an online repository for malware source code, samples, and papers.
The message cited Lockbitsupp [sic] and its flawed infrastructure as the reason for the seizure and was signed by the FBI, the National Crime Agency (NCA) of the UK, Europol, and the Operation Cronos Law Enforcement Task Force.
The NCA later confirmed the law-enforcement activity
in a press release
published today, saying it has taken control of LockBits primary administration environment and the groups public-facing leak site on the Dark Web. Affiliates used the former to build and carry out attacks, while the latter is where LockBit hosted and published (or threatened to publish) data stolen from victims.
Instead, this site will now host a series of information exposing LockBits capability and operations, which the NCA will be posting daily throughout the week, according to the release.
Authorities also have seized the LockBit platforms source code and a vast amount of intelligence from their systems about their activities and those who have worked with them, the NSA confirmed. They also obtained a thousand LockBit decryption keys and respective authorities will be in contact with victims to help them use the keys to recover data.
LockBitSupp
is the threat actor/technical support service that runs the LockBit operation, using the Tor messaging service to communicate with affiliates. The account status of LockBitSupp on that service now shows a message stating that authorities breached the ransomware operations servers using a PHP exploit, according to a
published report
.
The vulnerability used to compromise LockBit is tracked as
CVE-2023-3824
, a flaw present in PHP version 8.0 before 8.0.30, 8.1. before 8.1.22, and 8.2. before 8.2.8,
according to Vx Underground
. In vulnerable versions, reading PHAR directory entries during the loading of a PHAR file can result in insufficient length checking that can lead to a stack buffer overflow, which in turn can potentially lead to memory corruption or RCE, according to the flaws entry in NISTs National Vulnerability Database.
The NCA did not confirm how authorities breached LockBits operations, but said that the technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. As part of the group effort, Eurpol also arrested two LockBit actors in Poland and Ukraine, while more than 200 cryptocurrency accounts linked to the group have been frozen.
LockBit is arguably
the worlds largest RaaS operation,
which has been rampantly pillaging organizations and their data through custom malware tools and a network of cybercriminal affiliates since it first appeared on the scene in 2019. Between 2020 and June of last year, the group extorted around $91 million across 1,700 cyberattacks in attacks against US organizations.
While initial LockBit victims were small and midsize companies, the group gained confidence over the years and began to target larger and more recognizable organizations. Some of its most recent victims included aviation manufacturer
Boeing
, sandwich maker
Subway
,
Hyundai Motor Europe
, and
Bank of America
, among others.
Because of the size and scope of its operation, LockBit has been in the crosshairs of global authorities for some time, and even before Operation Cronos some of the groups associates already had been been arrested.
In June of last year, the US Department of Justice arrested and charged a Russian national, Ruslan Magomedovich Astamirov, for his role as a LockBit affiliate in at least five attacks between August 2020 and March 2022. Astamirov was the third defendant charged by the DoJ in relation to the LockBit global ransomware campaign, and the second defendant to be apprehended.
While experts believe the
law-enforcement actions
will certainly slow the groups pace of attacks in the immediate future, they probably wont stop LockBit and its affiliates entirely from participating in ransomware activity — an assessment borne out by the resurgence of the
BlackCat/AlphaV
and
Cl0p gangs
after their dismantling.
In time ... they will resurface, likely under a different name, with
current members likely joining
or establishing other successful gangs, Yossi Rachman, senior director, research at security firm Semperis, notes in an email to Dark Reading.
Thats why its important for organizations to remain vigilant to avoid compromise by the group, he says. To this end, the Cybersecurity Infrastructure and Security (CISA) earlier this month released on its website a list of
indicators of compromise (IOCs)
of the groups ransomware as well as a
series of mitigations
(PDF) to reduce the risk of compromise.
Recommendations made by the agency include requiring all accounts with password logins to have strong, unique passwords that arent reused across multiple accounts or stored on a system where an adversary may have access. Organizations also should require the use of multi-factor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
CISA also advised that organizations keep all operating systems and software up to date, prioritizing patching of known exploited vulnerabilities. Removing unnecessary access to administrative shares and/or restricting privileges also can thwart ransomware actors from accessing corporate systems.
Other recommendations made by the agency include the use of a host-based firewall that only allows connections to administrative shares via server message block (SMB) from a limited set of administrator machines, and the enablement of protected files in the Windows Operating System to prevent unauthorized changes to critical files.
Tags:
Global Law Enforcement Disrupts LockBit Ransomware Gang