The successful takedown of the LockBit ransomware operation by an international law enforcement effort led by the UK’s National Crime Agency (NCA) is being perceived as a major blow to the criminal outfit’s operational abilities. Although it is likely that the dozens of independent affiliates that distributed and deployed LockBit on victim systems will continue operations using other RaaS providers, their ability to continue with LockBit itself appears unviable for the moment.
According to reports from security vendors, the takedown has severely disrupted LockBit’s infrastructure and operations. Law enforcement took control of the group’s primary administrative servers, its primary leak site, source code, and valuable information on affiliates and their victims. A significant break in LockBit’s operation occurred due to an unpatched PHP vulnerability, providing law enforcement with a foothold on the group’s environment.
In addition to the takedown, the US Department of Justice (DoJ) unsealed an indictment charging two Russian nationals and presently has two other individuals in custody connected to their participation in LockBit. The US State Department also announced rewards totaling $15 million for information leading to the arrest and conviction of key members and leaders of the group. The Department of Treasury imposed sanctions on specific individuals associated with LockBit, making future payments from US victims to LockBit strictly illegal.
The takedown was executed with messages left for affiliates and others related to LockBit on seized sites, a move seen as a deliberate attempt by law enforcement to shake the confidence of other ransomware actors. The actions represent a significant success for law enforcement against a group that has caused billions of dollars in damages and extracted a staggering $120 million from victim organizations over the last four years, contributing to a string of similar successes over the past year.
While other ransomware groups have rebounded following similar takedowns, LockBit itself might have a bigger challenge getting restarted due to a series of problems and troubles it has undergone lately. The group has faced issues including theft of its builder, false claims about new victims and leaked data, and an increasingly frantic approach to attack new affiliates. LockBit’s reputation as a trusted RaaS player and its handling of a ransomware attack on a Russian company has taken a hit, adding to the challenges it faces in rebuilding its operations.
There are suspicions that LockBit’s administrator could have been replaced by agents for Russia’s foreign intelligence service, further undermining the group’s image. This theory emerged from when the admin suddenly went quiet and reappeared, leading to speculation that the person was changed and substituted by an FSB operative.
In summary, the international law enforcement takedown of LockBit, following a string of successful efforts against other ransomware groups, has significantly disrupted the criminal outfit’s activities. The criminal community is left to wonder about the future of LockBit and its affiliates as law enforcement efforts continue to crack down on ransomware operations.