The same security experts praising the recent international law enforcement takedown of the prolific LockBit ransomware empire are warning the criminal void will quickly be filled.
LockBit's demise was tied to the months long Operation Cronos. It involved government agencies from 10 countries, including the FBI and the UK’s National Crime Agency (NCA).
Europol officials described it as a significant breakthrough in the fight against cybercrime and severely damaging to the capability and credibility of LockBit. The criminal group is blamed for more than 2000 ransomware attacks and extorting over $120 million since 2020.
“For years, LockBit associates have deployed these kinds of attacks again and again across the United States and around the world. Today, U.S. and U.K. law enforcement are taking away the keys to their criminal operation,” U.S. Attorney General Merrick Garland said in a prepared statement on Tuesday.
LockBit takes a massive hit
UK's NCA had taken control of LockBit’s primary administration environment, used by affiliates to build and carry out attacks, as well as the gang’s dark web leak site, the agency said.
The Operation Cronos taskforce agencies seized and took down 28 servers belonging to LockBit affiliates. Two people linked to the group were arrested in Poland and Ukraine, and more than 200 cryptocurrency accounts were frozen.
The NCA obtained over 1000 decryption keys it would share with victims to help them recover encrypted data.
“Our work does not stop here,” NCA director general Graeme Biggar said. “LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
But is it a knockout blow?
The true extent of the infrastructure damage and destruction inflicted on LockBit’s infrastructure would become clearer over time, researchers at ZeroFox said in the blog post.
“LockBit’s infrastructure has likely been significantly degraded by Operation Cronos. However, LockBit operatives and affiliates are very likely still able to deploy the strain against compromised networks.”
According to research by Malwarebytes Labs, LockBit carried out almost three times as many attacks over the past year as its biggest ransomware rivals, ALPHV/BlackCat and Cl0p.
Given LockBit’s large share of the ransomware pie, the success of the law enforcement operation would likely suppress global ransomware and digital extortion (R&DE) attacks, at least in the short term, ZeroFox’s researchers said.
“However, Operation Cronos is unlikely to have a sustained impact on the threat from R&DE,” they warned.
The researchers compared LockBit’s situation to that of ALPHV/BlackCat which appeared to be impacted by disruptive law enforcement action late last year.
“The December 2023 disruption of R&DE collective ALPHV degraded its operational capability significantly, though not comprehensively. This enabled the collective to continue its operations in 2024, with ZeroFox observing an upward trajectory of attacks in recent weeks,” they said.
“It is crucial that security teams continue to monitor for LockBit IOCs (indicators of compromise) and TTPs (tactics, techniques and procedures), in addition to staying on top of R&DE landscape trends to identify the banner under which these operatives will resume their extortion activities.”
Trustwave’s vice president of EMEA consulting and professional services, Ed Williams, agreed that after a short-term reduction in LockBit infections, the R&DE scene could return to “business as usual”.
“If we consider the root cause issues that LockBit exploits, none of these have been remediated by [the gang’s takedown],” he said.
“I would give it 2-3 months, after which we’ll see a reincarnation of this flavor of ransomware, which I suspect will be even more sophisticated as the threat actors will have taken lessons from today and be able to cover their tracks better going forward.”
Law enforcement’s new approach welcomed
Jamie MacColl, a research fellow in cyber threats and cyber security at Royal United Services Institute, said on LinkedIn that Operation Cronos indicated how law enforcement had shifted from focusing on convicting ransomware operators and affiliates to a “disruption- and harm reduction-based strategy”.
“This is not just about taking down infrastructure, but also seeking ways to obtain decryption keys for victims on an ongoing basis,” MacColl said.
He believed the taskforce’s actions in taking LockBit’s own data and using it to contact the gang’s affiliates to let them know law enforcement has their details was “a positive step in the right direction”.
“Takedowns are not enough and arguably lead to criminals redoubling their efforts and improving their operational security,” he said. “Eroding trust in the security of infrastructure and data, and the reliability of other criminals in the ecosystem, is more likely to have longer lasting effects on ransomware as a criminal enterprise.”
