The United Kingdom’s National Crime Agency (NCA), in collaboration with the U.S., Canada and eight other international partners shared a major update this past Tuesday regarding Operation Cronos, the international disruption campaign created to take down the LockBit ransomware group. The government action successfully compromised LockBit’s “entire criminal enterprise” by infiltrating the group’s network, taking control of its services, and accessing its source code, as well as other important intelligence.
LockBit is considered to be one of the most prolific ransomware groups to date, having targeted a plethora of victims globally — and hauling in more than $90 million in ransom payments from the U.S. alone since 2020.
The successful takedown effort consisted of taking control of the group’s primary administration environment, prohibiting it from building and carrying out further attacks on victims. Operation Cronos also compromised LockBit’s site used for leaking information on the dark web, which was previously used to blackmail victims by threatening to post confidential data. The group’s website is now fully run and controlled by the NCA, and is being used to share vital information.
In addition to the takedown, Operation Cronos accessed all of LockBit’s source code, plus a vast amount of intelligence on the gang’s activities and partnerships with other cybercriminals globally, noted Graeme Biggar, Director General of the NCA:
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
Here’s what we know about the takedown of the LockBit ransomware group, along with expert insights.
[ Key takeaways: The State of Software Supply Chain Security 2024 | Get the full report | See the Webinar discussion ]
A look at LockBit’s history
LockBit has been active since as early as September 2019, and has rebranded itself several times over the past five years by changing its name and improving its arsenal of tools. As a ransomware-as-a-service group (RaaS), LockBit had an expansive network of cybercriminals, recruited to pull off ransomware attacks using the gang’s proprietary malicious tooling.
The Operation Cronos agencies have expressed that the work toward neutralizing LockBit “does not stop here,” noting that much of this work will include prosecuting cybercriminals affiliated with the group, and seizing more of their operations. On Tuesday morning, Europol arrested two LockBit members and froze more than 200 cryptocurrency accounts. And the U.S. Department of Justice criminally charged two defendants and indicted two Russian nationals — all responsible for carrying out LockBit attacks, the NCA said in a statement.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said LockBit made up over 15% of all ransomware incidents targeting Australia, Canada, New Zealand and the U.S. in 2022, making it one of the most successful ransomware organizations in the world.
Ransomware doesn’t end with LockBit
While the efforts associated with Operation Cronos are a huge step towards inhibiting international cybercrime, several ransomware groups in the past have risen from the ashes in the form of new groups with the same members, but under different names and with improved tools.
Ashlee Benge, Director of Threat Intelligence at ReversingLabs, said the end of LockBit won’t be the end for ransomware.
“These takedowns are impactful in that they disrupt ransomware gang operations for a time, but inevitably, something new will pop up in LockBit’s place.”
—Ashlee Benge
The Conti ransomware gang, for example, which was once considered to be a leading cybercrime group, ceased its operations after the group’s private chats were leaked by one of its own members out of retaliation for the war in Ukraine. Not long after Conti’s fall, several threat researchers spotted a never-before-seen ransomware group in late 2022 known as Black Basta. By analyzing several of Black Basta’s attacks, experts believed that the group was an offshoot of the original Conti group, based on similarities between both groups’ tactics, techniques and procedures.
Despite the successful Operation Cronos takedown campaign, the track record set by ransomware groups to date likely indicates that an offshoot of LockBit will arise in the future.
Life after LockBit: Tools and best practices are key
Through the efforts of the NCA and the other member agencies of Operation Cronos, millions of LockBit victims worldwide can now access a free decryptor for the ransomware. But for those who have not been hit with LockBit, it’s important to take precautions and practice defensive measures, despite all of this progress.
The utilization of YARA rules can aid threat hunters and researchers in their ability to detect malware such as the LockBit ransomware. ReversingLabs’ open-source YARA rule for LockBit can detect when this ransomware is running on an organization’s network.
ReversingLabs’ Benge said that in addition to the utilization of YARA rules, organizations should continue to bolster their threat intelligence and hunting capabilities in order to prevent malware families such as the LockBit ransomware from infecting their systems in the first place.
“As defenders, we have to block 100% of threats, but an attacker only has to be successful in a single attempt out of many. A multi-pronged security approach and incident preparedness strategy are key in fighting against ransomware successfully.”
—Ashlee Benge
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.