In recent news, the global law-enforcement authorities, including the FBI, have successfully disrupted the activities of the notorious LockBit ransomware gang. Known as Operation Cronos, the operation led to a substantial seizure of data associated with LockBit’s global ransomware-as-a-service (RaaS) operation. The information obtained from this operation includes source code, details of ransomware victims, stolen data, decryption keys, and the amount of money extorted by LockBit and its affiliates.
The news of this disruption first came to light on February 19 when a screenshot of a message addressed to a LockBit affiliate was posted on the X (formerly Twitter) account of Vx-Underground, an online repository for malware source code, samples, and papers. The message, signed by the FBI, the National Crime Agency (NCA) of the UK, Europol, and the Operation Cronos Law Enforcement Task Force, cited “LockBitSupp” and its “flawed infrastructure” as the reason for the seizure.
The NCA later confirmed the law-enforcement activity in a press release, stating that they have taken control of LockBit’s primary administration environment and the group’s public-facing leak site on the Dark Web. The release also mentioned that the NCA would be hosting a series of information on the site throughout the week to expose LockBit’s capability and operations.
In addition to seizing the LockBit platform’s source code and a vast amount of intelligence from their systems, authorities also obtained a thousand LockBit decryption keys, with plans to assist victims in using them to recover their data.
The technical infiltration and disruption of LockBit is only the beginning of a series of actions against the group and their affiliates, according to the NCA. As part of a coordinated effort, Europol arrested two LockBit actors in Poland and Ukraine and froze more than 200 cryptocurrency accounts linked to the group.
LockBit has been known to be one of the largest RaaS operations globally, targeting organizations and extorting millions of dollars through cyberattacks. The group has targeted both small and midsize companies, as well as larger organizations like Boeing, Subway, Hyundai Motor Europe, and Bank of America.
While the recent law-enforcement actions will likely slow the group’s pace of attacks in the short term, experts believe it won’t completely stop LockBit and its affiliates from participating in ransomware activity. They advise organizations to remain vigilant and adopt mitigations recommended by the Cybersecurity Infrastructure and Security (CISA) to reduce the risk of compromise.
These recommendations include implementing strong, unique passwords for all accounts, using multi-factor authentication for all services where possible, keeping all operating systems and software up to date, and restricting privileges to thwart ransomware actors from accessing corporate systems.
Overall, the disruption of LockBit by global law-enforcement agencies is a significant blow to the ransomware gang, but as experts warn, they may eventually resurface under a different name. Therefore, it is crucial for organizations to remain proactive in protecting themselves against such threats.