Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit

  /     /     /  
Publicated : 23/11/2024   Category : security


Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit


The most prolific ransomware group in recent years was on the decline at the time of its takedown, security researchers say.



For all its vaunted success, the LockBit ransomware operation appears to have already been beset by problems when an international law enforcement effort led by the UKs National Crime Agency (NCA)
shut it down
this week.
Security vendor reports that have surfaced following the takedown paint a picture of a once innovative and aggressive ransomware-as-a-service (RaaS) group recently struggling with dissent among members and affiliates, and the perception it was a snitch by some within the criminal community.
Many perceive the law enforcement operation as likely having caused irreparable damage to the criminal outfits ability to continue with ransomware activities, at least in its current form and under the LockBit brand. Though its likely that the dozens of independent affiliates that distributed and deployed LockBit on victim systems will continue operations using other RaaS providers, their ability to continue with LockBit itself appears unviable for the moment.
Its likely too early to say, says Jon Clay, vice president of threat intelligence at Trend Micro, which collaborated with the NCA to analyze a new developmental version of LockBit and release indicators of compromise for it. But due to the exposure and all the information shared, like [LockBits] decryption tools, seized cryptocurrency accounts, and infrastructure takedown, the group and their affiliates are probably hindered from operating effectively.
The NCAs cyber division in collaboration with the FBI, the US Department of Justice, and law enforcement agencies from other countries earlier this week
disclosed they had severely disrupted
LockBits infrastructure and operations under the aegis of a months-long effort dubbed Operation Cronos.
The international effort resulted in law enforcement taking control of LockBits primary administrative servers that allowed affiliates to carry out attacks; the groups primary leak site; LockBits source code; and valuable information on affiliates and their victims. Over a 12-hour period, members of the Operation Cronos taskforce seized 28 servers across three countries that LockBit affiliates used in their attacks. They also took down three servers that hosted a custom LockBit data exfiltration tool called StealBit; recovered over 1,000 decryption keys that could potentially help victims recover LockBit-encrypted data; and froze some 200 LockBit-connected cryptocurrency accounts.
The initial break appears to have resulted from an op-sec failure on LockBits part — an unpatched PHP vulnerability (
CVE-2023-3824
) that allowed law enforcement a foothold on LockBits environment.
The US DoJ on the same day also
unsealed an indictment
that charged two Russian nationals — Ivan Kondratyev, aka Bassterlord, one of the most prominent of LockBits many affiliates, and Artur Sungatov — for ransomware attacks on victims across the US. The department also disclosed that it presently has in custody two other individuals, Mikhail Vasiliev and Ruslan Astamirov, on charges connected to their participation in LockBit. With the new indictment, the US government says it has so far charged five prominent LockBit members for their role in the crime syndicates operation.
On Feb. 21, the US State Department amped up pressure against LockBit members by
announcing rewards totaling $15 million
for information leading to the arrest and conviction of key members and leaders of the group. The Department of Treasury joined the fray by
imposing sanctions
on Kondratyev and Sungatov, meaning that any future payments that US victims of LockBit make to LockBit would be strictly illegal.
In executing the takedown, law enforcement left somewhat mocking messages for affiliates and others related to LockBit on sites they had seized during the operation. Some security experts viewed the trolling as a deliberate attempt by Operation Cronos to shake the confidence of other ransomware actors.
One of the reasons is to send a warning message to other operators that LEA can and will target your group for similar actions, says Yelisey Bohuslavskiy, chief research officer at threat intelligence firm RedSense. It is likely that many groups are currently assessing their operational security to determine if they have already been breached and may have to figure out how to better secure their operations and infrastructure.
Together, the actions represented a well-earned success for law enforcement against a group that over the last four years has caused billions of dollars in damages and extracted a staggering $120 million from victim organizations around the world. The operation follows a string of similar successes over the past year, including takedowns of
ALPHV/BlackCat
,
Hive
,
Ragnar Locker
, and
Qakbot
, a widely used ransomware dropper.
While other groups have rebounded following similar takedowns, LockBit itself might have a bigger challenge getting restarted. In a blog following news of the takedown, Trend Micro described the group as one that has
recently struggled
to stay afloat because of numerous problems. These include the theft and subsequent leak of the builder for LockBit by a disgruntled member in September 2022 that allowed other threat actors to deploy ransomware based on LockBit code. A string of patently false claims about new victims and made-up leaked data on LockBits leak site starting last April also have raised questions about the groups victim count, and its increasingly frantic efforts to attack new affiliates has had an air of desperation around it, Trend Micro said. LockBits reputation as a trusted RaaS player among cybercriminals also has taken a hit following rumors of its refusal to pay affiliates as promised, the security vendor said.
Recently, LockBits administrative team has come under significant pressure from a reliability and reputation standpoint following a ransomware attack on Russian company AN Security in January involving LockBit ransomware, says Aamil Karimi, threat intelligence leader at Optiv.
Attacks against CIS countries is strictly prohibited across most RaaS operations, Karimi says. They were facing fines and banishment from underground forums as a result of the attack on AN Security. What has added to the drama around the incident are rumors about a rival group carrying out the attack deliberately to create problems for LockBit, he notes.
Because of this, there was plenty of opportunity for rival groups to take over the space occupied by LockBit. There was no remorse shown by rival groups following news of LockBits takedown, he says. LockBit was the most prolific of the groups, but as far as respect and reputation, I dont think there was any love lost.
Bohuslavskiy of RedSense says suspicions about a LockBit administrator likely being replaced by agents for Russias foreign intelligence service (FSB) has not helped the groups image either. He says the origins of these suspicions go back to 2021, when Russias government appeared to take a series of actions against ransomware operators such as REvil and Avaddon. It was around that time that LockBits admin suddenly went quiet, Bohuslavskiy says.
This was mostly spotted by the [initial access brokers] who worked directly with [the administrator], he notes. By August, the admin reappeared, and this is when the IABs began to say that the person was changed and substituted by a FSB operative.
RedSense this week
published a blog
summarizing the findings from a three-year investigation of LockBit, based on conversations with members of the operation.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hubris May Have Contributed to Downfall of Ransomware Kingpin LockBit