A sweeping law enforcement operation led by the U.K.’s National Crime Agency (NCA) this week took down LockBit, the notorious Russia-linked ransomware gang that for years has wreaked havoc on businesses, hospitals, and governments around the world.
The action saw LockBit’s leak site downed, its servers seized, multiple arrests made, and U.S. government sanctions applied in what is one of the most significant operations taken against a ransomware group to date.
It’s also, undoubtedly, one of the more novel takedowns we’ve seen, with U.K. authorities announcing the seizure of LockBit’s infrastructure on the group’s own leak site, now home to a host of details about the gang’s inner workings — with the promise of more to come.
Here’s what we’ve learned so far.
LockBit didn’t delete victims’ data — even if they paid
It’s long been suspected that paying a hacker’s ransom demand is a gamble and not a guarantee that stolen data will be deleted. Some corporate victims have even said as such, saying they “cannot guarantee” that their data would be erased.
The LockBit takedown has given us confirmation that this is absolutely the case. The NCA revealed that some of the data found on LockBit’s seized systems belonged to victims who had paid a ransom to the threat actors, “evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the NCA said in a statement.
Even ransomware gangs fail to patch vulnerabilities
Yes, even ransomware gangs are slow to patch software bugs. According to malware research group vx-underground citing LockBitSupp, the alleged leader of the LockBit operation, law enforcement hacked into the ransomware operation’s servers using a known vulnerability in the popular web coding language PHP.
The vulnerability used to compromise its servers is tracked as CVE-2023-3824, a remote execution flaw patched in August 2023, giving LockBit months to fix the bug.
“FBI f****d up servers via PHP, backup servers without PHP can’t be touched,” reads LockBitSupp’s translated message to vx-underground, originally written in Russian.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
— vx-underground (@vxunderground) February 19, 2024
Ransomware takedowns take a long time
The LockBit takedown, known officially as “Operation Cronos,” was years in the making, according to European law enforcement agency Europol. The agency revealed Tuesday that its investigation into the notorious ransomware gang began in April 2022, some two years ago at the request of French authorities
Since then, Europol said that its European Cybercrime Center, or EC3, organized more than two dozen operational meetings and four technical one-week sprints to develop the investigative leads ahead of the final phase of the investigation: this week’s takedown.
LockBit has hacked more than 2,000 organizations
It has long been known that LockBit, which first entered the competitive cybercrime scene in 2019, is one of, if not the most prolific ransomware gangs.
Tuesday’s operation all but confirms that, and now the U.S. Justice Department has numbers to back it up. According to the DOJ, LockBit has claimed over 2,000 victims in the U.S. and worldwide, and received more than $120 million in ransom payments.
Sanctions targeting a key LockBit member may affect other ransomware
One of the top LockBit members indicted and sanctioned on Tuesday is a Russian national, Ivan Gennadievich Kondratiev, who U.S. officials allege is involved in other ransomware gangs.
According to the U.S. Treasury, Kondratiev also has ties to REvil, RansomEXX and Avaddon. While RansomEXX and Avaddon are lesser-known variants, REvil was another Russia-based ransomware variant that gained notoriety for high-profile hacks, making millions in ransom payments by hacking U.S. network monitoring giant Kaseya.
Kondratiev was also named a leader of a newly disclosed LockBit subgroup called the “National Hazard Society.” Little else is known about this LockBit affiliate yet, but the NCA promised to divulge more in the coming days.
The sanctions effectively ban U.S.-based victims of Kondratiev’s ransomware from paying him the ransoms he demands. Given Kondratiev has hands in at least five different ransomware gangs, the sanctions are likely to make his life five times more difficult.
The British have a sense of humor
Some people (i.e., me, a British person) would argue that we knew this already, but the LockBit sting has shown us that the U.K. authorities have a sense of humor.
Not only has the NCA made a mockery of LockBit by mimicking the gang’s dark web leak site for its own LockBit-related revelations, but we also found various Easter eggs hidden on the now-seized LockBit site. Our favorite is the various file names for the site’s images, which include “oh dear.png,” “doesnt_look_good.png” and “this_is_really_bad.png.”
Authorities disrupt operations of notorious LockBit ransomware gang
Comment