MSSPs, MSPs and various cybersecurity providers continue to offer analysis and advice in the aftermath of the stunning LockBit ransomware group takedown this week, while urging caution against other ransomware operations seeking the next opportunity to attack.
It's possible that the threat may not be over yet. Late this week Sophos X-Ops reported through its social media handle that despite the recent law enforcement activity, Sophos X-Ops had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool. Sophos posted this news in an update to its blog post about the ConnectWise ScreenConnect vulnerabilities.
Lockbit says it has restored its servers and is back in business, Reuters reported on February 26.
LockBit Law Enforcement Action
On February 20, the U.S. Justice Department announced that the U.K. National Crime Agency’s (NCA) Cyber Division, working in cooperation with the Federal Bureau of Investigation (FBI) and other international law enforcement partners, seized numerous public-facing websites and servers used by LockBit administrators. The effort dealt a major blow to LockBit threat actors’ ability to attack and encrypt networks and extort victims by threatening to publish stolen data.
The LockBit ransomware variant first appeared around January 2020 and had grown into one of the most active and destructive variants in the world, the Justice Department said. Moreover, LockBit members have executed attacks against more than 2,000 victims in the U.S. and around the world, making at least hundreds of millions of U.S. dollars in ransom demands and receiving over $120 million in ransom payments.
According to Sophos X-Ops’ analysis, over the past four years LockBit has been among the top 10 most reported ransomware infections since 2020. Sophos’ Incident Response team in 2023 found that LockBit accounted for one in five of all ransomware infections.
Chester Wisniewski, field chief technology officer for Sophos, an MSSP Alert MDR Top 40 company, was cautiously optimistic LockBit had been dealt a death blow.
“Much of LockBit’s infrastructure is still online, but I don’t expect them to make a triumphant return,” Wisniewski said. “These groups continually rebrand and regroup under different banners to continue their ransacking of innocent victims’ networks and take on name identities to evade sanctions. It’s probably fair to say goodbye for now, but just like other groups before them, those who are not apprehended are likely to continue their crime spree. We must remain vigilant and not let our guard down.”
Keegan Keplinger, senior threat security researcher with eSentire’s Threat Response Unit, said that the global law enforcement effort against the LockBit ransomware operators and their affiliates was well-orchestrated.
“Your typical takedown features a static seizure page, but in this case, law enforcement kept their dark web leak site fully functioning and replaced victim leak posts with leaks about the LockBit threat actors, including doxxing Bassterlord, an affiliate of LockBit's known for both his confrontational Twitter tone and the public sale of an intrusion manual at the outrageous price of $10,000,” Keplinger said.
Trend Micro Partners with Law Enforcement
On Thursday, global cybersecurity provider Trend Micro disclosed its key role in LockBit’s takedown. Through undercover infiltration, Trend Micro helped prevent the release of the group's next malware products and automatically installed protection for Trend Micro customers — even before the group themselves had finished testing, according to Robert McArdle, a leader in Trend Micro's cybercrime research team and collaborator with the FBI and NCA.
"Last week, Trend secured global Microsoft users from a critical vulnerability and this week we were a part of dethroning the most critical threat actor group in the world,” McArdle said. “Now, insiders aren't naïve enough to assume this will eliminate the crime group, but we know that no sane criminal would want to be involved with this group again."
Tim MalcomVetter, executive vice president of Strategy at NetSPI, a specialist in breach and attack simulation, cautioned that there are likely dozens more threat actors ready to strike. He urged organizations to focus on analyzing general attack behaviors for a variety of potential threats rather than just focusing on one family.
“If CISOs and security leaders only focus on preventing one particular threat actor, whether it’s LockBit or something else, it’s kind of like going to a self-defense class worried you might run into Mike Tyson in a dark alley when he’s mad at you,” he said. “It just won’t ever happen or work out like that. Instead, organizations need to be ready for an untrained, hostile and likely intoxicated assailant who doesn’t hit as hard as Mike Tyson but probably can still hurt you.”
Russia’s Next LockBit?
Sean McNee, vice president of Research and Data at DomainTools, a threat intelligence company that partners with MSSPs, noted that LockBit pioneered the use of “affiliates” who would use the gang’s ransomware tools to launch their own attacks and share a cut of the profits.
"The disruption of LockBit has implications for Russian-affiliated cybercrime actors, as this takedown may deter others from continuing their operations or force them to change their tactics and infrastructure to avoid detection and prosecution,” McNee explained. “This action could also provoke some Russian cybercriminals to retaliate, especially in light of the ongoing geopolitical tension between Russia and Ukraine."
Ismael Valenzuela, vice president of Threat Research & Intelligence at BlackBerry Cybersecurity, believes that LockBit’s takedown will only create a vacuum for others to fill. While he sees it as a promising step forward, his team’s research shows a troubling transition in the methodology of threat actors that is here to stay and is equally destructive.
“Our research team has been tracking LockBit for years, and quarter over quarter we’ve seen LockBit grow as one of the most dangerous groups operating in this space, Valenzuela said. “However, the victory will likely be short-lived. The reality of this business, and it is a business, is that LockBit’s absence will only create a vacuum for others to fill who are already active yet largely unidentified.”
He noted that BlackBerry’s research indicates a trend toward financiers working with smaller entities to develop and deploy novel malware, which shows no sign of stopping.
“Last quarter alone, there was a 70% increase in novel malware attacks, with healthcare and critical infrastructure being two of the most prominent areas novel malware was found,” he said. “This is likely how we’ll see LockBit’s space filled in the short-term — financiers working with smaller groups to develop resource intensive but hard-to-detect novel malware with high ROI potential on profitable sectors.”
LockBit Origins Traced to GOLD MYSTIC
Secureworks has made several key observations regarding LockBit’s orgins, based on 22 incident response engagements in the last three years:
- The GOLD MYSTIC threat group began ransomware operations in 2019, adopting the LockBit name for its file-encrypting malware in 2020 and listing its first victims to the leak site in September 2020.
- The first iteration of LockBit did not see significant take-up, with only nine victim names posted to its leak site in the first five months of operation.
- After six months of apparent inactivity in June 2021, GOLD MYSTIC launched LockBit 2.0, an enhanced version of the ransomware that was billed as being easier to use and implementing
$15 Million Reward Offer
The U.S. Department of State is offering rewards totaling up to $15 million for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group.
Information in response to the reward offer can be submitted to the FBI through email at [email protected], by Telegram at @LockBitRewards, or by contacting +1-646-258-2533.
