Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime
Broken LockBit: Ransomware Group Takedown Will Have Impact
Even If Group Reboots, Disruption Already Stands as a Success, Experts SayBlue Monday arrived late this year for the LockBit ransomware-as-a-service group, after an international coalition of law enforcement agencies seized swaths of its infrastructure.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
LockBit's Tor-based data leak site suffered an unexpected makeover Monday, when instead of listing nonpaying victims and publishing stolen data, it read: "We can confirm that LockBit's services have been disrupted as a result of international law enforcement action."
Next came terrible Tuesday for LockBit, when Britain's National Crime Agency said it had infiltrated and seized LockBit's infrastructure, "compromising their entire criminal enterprise," and had obtained 1,000 decryption keys, which they promised to distribute to victims as part of an international police effort dubbed Operation Cronos. Police arrested four LockBit suspects - including one each in Poland and Ukraine - and also indicted two Russians, who remain at large.
Authorities posted this message - later published by malware research group vx-underground - to the ransomware group's affiliate panel: "You can thank LockBitSupp and their flawed infrastructure for this situation," referring to LockBit's leadership persona. "We may be in touch with you very soon."
"FBI pwned me," LockBitSupp told vx-underground.
Score one for the good guys against this gang of cybercrime scum. "Anything that disrupts their operations and sows distrust among their affiliates and suppliers is a huge win," said Chester Wisniewski, global field CTO at Sophos.
The LockBitSupp persona has appeared to be run by one or two individuals, including the group's leader, according to Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1. In this case, of course, perhaps it was an FBI special agent, if law enforcement successfully infiltrated the group's operations.
LockBitSupp subsequently told vx-underground that law enforcement had compromised its infrastructure by exploiting a vulnerability in certain versions of PHP, designated CVE-2023-3824. First detailed in August 2023, when a researcher published proof-of-concept exploit code, the vulnerability - rated as critical - exists in certain versions of 8.0.x, 8.1.x and 8.2.x, when loading a .phar
package file or reading a .phar
file directory. Due to the flaw, "insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption" and the threat of remote code execution, according to the U.S. National Vulnerability Database. Developers began to release patches for the flaw not long after the researchers first posted public details.
Will the LockBit disruption stick?
Many of the main players appear to remain at large. "It is very unlikely that the core of the LockBit group, which is based in Russia, will be arrested, but this disruption will have a significant impact on the ransomware ecosystem, and we should enjoy that disruption before we get quickly back to building our defenses," said Allan Liska, a principal intelligence analyst with Recorded Future.
Security experts have long reported that LockBit, as well as its egocentric leader, seemed to be going off the rails, despite their one-time popularity.
LockBit cemented a reputation for being a "bottom feeder of the dark web," driven by a perception among other ransomware group administrators that the head of LockBit was "always being drunk and talking to journalists," Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, recently told me.
Last summer, DiMaggio reported the group had failed to scale its infrastructure to pace an explosion in its popularity with criminals, due in part to its leadership failing to retain technical talent. As a result, the group was failing in multiple ways that the leadership attempted to cover up, including oftentimes by not leaking stolen data for victims who didn't meet its ransom demands.
Technically, DiMaggio said, the group, which at one time had a reputation for having sophisticated and fast-acting crypto-malware, failed to meet milestones for putting out new versions of its ransomware. Instead, the group rebranded a previously leaked Conti locker.
At the time of the takedown, Bohuslavskiy said the group was attempting to portray itself as still being big and bad. In reality, at this "surface" layer, the group was "comically low-capability: fake claims, lack of payments, constant affiliate scams, and 'LockBitSupp' serving as a mere distraction for actual operations," he said in a Monday LinkedIn post.
That public persona obscured the fact that LockBit had remained in business only thanks to its use of "ghost groups" consisting of "outsourced labor from other groups," which it claimed as their own, Marley Smith, principal threat researcher at RedSense, recently told me. These other groups included former members of BlackCat and active members of Zeon, she said.
Ransomware operations' impetus for using ghost groups - typically, independent contractors who previously worked for the Russian-speaking Conti group - is to compensate for a lack of technical talent and "to maintain a certain level of mystique and power that they need" to keep attracting affiliates and scaring victims into paying, Smith said.
Post-takedown, contract talent hired by LockBit will likely remain as long as they're still getting paid, but that doesn't mean they won't face fatigue and a hit to morale by having to rebuild, Bohuslavskiy said.
"Even if these operations continue as normal, the small pool of elite pen testers will most likely continue to be fatigued and quit in the event of another major takedown," he said. "This is exactly why takedowns work, and this is why this operation should already be considered a success."