In this episode, host Paul Roberts chats with Ali Khan, Field CISO at ReversingLabs, about the recent takedown of the LockBit ransomware group, which is considered to be one of the most prolific cybercrime groups globally.

EPISODE TRANSCRIPT

PAUL ROBERTS
Okay, and we are live with ConversingLabs. It's a Friday afternoon, and we're in the studio with Ali Khan, ReversingLabs Field CISO. Ali, welcome. I think this is the first time that we've actually had you on ConversingLabs.

ALI KHAN
Thanks.

PAUL ROBERTS
It's great to have you on. We're with you here to talk about one of the big events of the week, which was a coordinated takedown of the LockBit Ransomware gang. Certainly a major event. So, before we get going on that conversation, do you want to tell the audience a little bit about yourself and what you do at ReversingLabs?

ALI KHAN
Yeah, absolutely. Thanks, Paul for having me out. I work with the threat intelligence team. I've spent the last 10 years in threat intel. I focus on cyber threat intelligence, detection engineering, and threat hunting teams. We have a malware analysis and threat hunting platform. I try to work with our customers and our prospects and our existing teams to understand how we can improve security operations center deficiencies, coordinate their playbooks, their orchestration platforms, to curate and enrich really good intelligence that we have.

PAUL ROBERTS
Your day job is you're dealing a lot of time talking about malware and malware threats and obviously ransomware is at the top of everybody's mind in terms of just costs and disruption and so on. What can you tell us about the news that broke this week, which was of this coordinated takedown, basically Five Eyes countries, U.S., U.K., and Australia, and so on, of LockBit, this ransomware-as-a-service gang.

ALI KHAN
Yeah. Paul, that's a really good question. So essentially, LockBit was a ransomware-as-a-service operation, and it was a ransomware syndicate run by multiple affiliates and operators. Operation Kronos, kind of collective defense effort, took place with multiple countries and intelligence agencies to take down this ransomware syndicate. Um, LockBit actually was known to be fairly the most successful front runner, as many would call, in extorting victims, even using tactics like double extortion, not only extorting victims for decrypting after encrypting their systems, but also extorting them from extracting ransom for their data as well. So, it was a very aggressive operation in a ransomware gang.

And I think the one good example was in the state of Georgia, Fulton County was taken out by LockBit, unfortunately, for multiple weeks. And so this gang's successful operation of using legitimate internet service providers, legitimate VPS cloud providers in countries in Asia, in countries in the Middle East, and countries even abroad here in the U. S., they were very successful in using their pyramid scheme in hiring affiliates, operators, administrator and running their operation like a legitimate organization and to accelerate the implementation of ransomware. 

The last known FBI data set that we had around LockBit was north of 1,700 attack victims. Keep in mind, Paul, these are just victims that came out, right and disclosed it after the ransomware attack. Many people did quiet payouts. And I think the last estimate was around 120 million dollars, even more extracted from these victims. And they targeted different types of organizations from high tech, manufacturing, to government sector clients, to the U.K. Royal Mail, Boeing, law firms, banks, and even SpaceX. 

This is a really successful display of collective defense, how intelligence sharing organizations could come together and actually start to look at the resources that these affiliates were able to use, both legitimate and bulletproof hosting, illegitimate resources, and trying to gain further access, initial access, and then moving really fast into the environment. This is really hard work and effort into the offensive capabilities and the investment that our country and our, CISA, as well as the U.K. NCA right? And other agencies have invested in offensive security capabilities, to actually go out after and exploit vulnerabilities in ransomware affiliates and actually take them out.

So I think we've started to finally shift the pendulum to recognize that the world is flat, as Thomas Friedman said in his famous book 20 years ago. And because the world is flat in a digital economy we actually have to continue to play proactive threat hunt and defense.

PAUL ROBERTS
Saying the world is flat in 2024 actually means something slightly different.

ALI KHAN
Yeah, that's true. That's true.

PAUL ROBERTS
Some people can be like, yeah, the world is flat.

ALI KHAN
I know.

PAUL ROBERTS
It's just a metaphor.

ALI KHAN
Yeah. As a historian, I think one of the funny things I've thought about prior to coming on with you, Paul, today, I thought, the whole digital age is only 24 years old, right? This whole experiment, right? When we think about the dot-com boom and how someone from Vietnam can collaborate with someone in California, or someone from Russia can access enterprise resources and infrastructure within seconds, and encrypted. So, this experiment of the digital frontier being completely flat and equal footing, I think, ironically, that's why we've started to invest heavily in offensive capabilities.

To make sure that the internet is achieving the ultimate goal that it was set out to do without the risks and the safety concerns we've put into it.

PAUL ROBERTS
Right, and Friedman's book actually was written in the early days probably of the dot-com boom, and I think in some ways obviously didn't anticipate there's actually risks that goes along with that opportunity as well, and cyber risk in particular.

Nobody was really thinking that way back then, but you're absolutely right. Saying the world is flat, there's a lot that goes along with that. One of those things is increased cyber risk, and in this takedown itself, I think four or five of the servers that LockBit was operating were operating in the United States, right?

ALI KHAN
Yes, that's right.

PAUL ROBERTS
Amazing to think of, but true. So LockBit has a storied history, they've been operating, I think since 2019, and at one point I think we're as much as 15 percent of overall ransomware payments were to LockBit. So hugely successful. What can you tell us about the history of the group and how they operated? Why were they so successful at what they did or their campaigns?

ALI KHAN
Yeah, it's a great question. So when we look at ransomware groups in general, as a whole, they're not that old, right? The operation first started out maybe about seven, eight years ago from a mature operation point of view. Fairly young, right? If you think about Facebook as a company, Google as a company, they're older. So in its infancy stage, we're talking about highly sophisticated attack vector that can cripple organizations for days and weeks, and take their operations out and daily financial losses. So, threat actor said, okay, why would I hijack an account or a virtual machine that can be spun up within minutes? Why not go after the entire operation? 

So what they started to do is form a very organized syndicate, and these Lockbit, unfortunately, became the most successful over the last few years when we talked about Black Cat, Black Basta, Royal, some of the CL0P right, Eastern European ransomware gangs that really started to proliferate and accelerate their investment. And how they really got into this successful positioning is just really using successful open source existing tools that large enterprise love to operate like RDP, minitabs, rMM tools, and really investing heavily in hiring affiliates and creating an initial access broker to extract known credentials. So if I have access to a legitimate user, a username, a legitimate user credential, I can initially bypass that initial access stage that I need to gain access and put all things into your resources. 

This group was really well known to do that well, and what they did is they kept on actually improving their software just like a software. That's why they are a RaaS, right? They went from 1.0 to 2.0 and 3.0, and through the progression, the sophistication and the capability became really well and fast. They use Salsa20 and their encryption algorithm is super fast . So the time they would get initial access to exfiltration, and then encroaching, was completely faceted. It would literally be minutes to give detection engineers, defenders, security operations to respond, right? Because if you look at a large, complex enterprise environment, you typically have layers of approvals, layers of ticketing processes. 

So imagine the time it takes for an alert in a ticketing system, and then someone is assigned that task to investigate that task, that could take minutes and hours, right? And so this gang doesn't have that limitation. It is teaching and preaching, right. For year, when they went into market so to speak, in their ransomware -as-a-service operation, they started to teach their affiliates and operators that they were selling their services out to, to focus on the acceleration of speed. The tools were very sophisticated, they kept on improving the versioning of it. They really exploited known and legitimate resources like RDP, and then a GPO object, which are domain objects that everyone needs to use. RDP, every developer, DevSecOps manager or a SOC operator needs to use these day-to-day tools. So I think they really exploited this as an industry, and so there's a lot for us from the security industry to learn from those. But really good for example, disabling EDR systems, right? Do you allow that to occur outside of a non-admin account? Does the local version, as always, should be able to disable a tool that allows security to prevent exfiltration and encryption from occurring, right? 

So a lot of things we've learned in the security industry are the tactics and techniques that the successful gangs have used and we started to finally incorporate this. But keep in mind, we are in the infancy stage of the successful attack and formation vectors of these groups. Even though the FBI took down last year, the Hive group, which is another ransomware group. Keep in mind, they broke off, they were able to regroup and rebrand themselves. It's a very sophisticated operation. So
I'm really curious on how further and deeper these multi-agencies will penetrate the developers, the administrators of these accounts and get them. But it's a great question. I think their sophistication of exploiting known resources was really fast, so that's why they were able to successfully penetrate so many victims.

PAUL ROBERTS
Interesting. So this was a pretty comprehensive takedown at least according to Operation Cronos, they infiltrated the group's infrastructure, got access to their source code, to their dox site, which is where they would publish the data they had stolen from victims to force them to pay up, and repurposed that as a site celebrating their takedown and published a decryption key. Big question is, what does this mean practically for either current or past victims of the LockBit ransomware gang? Does this really neutralize that LockBit software threat? Even if the group itself reforms?

ALI KHAN
Yeah, that's a great question. How does this affect me? Obviously, this is going to be the ongoing discussion in the intelligence community. I'm logged into our Malware Analysis Threat Hunting Platform, search for LockBit, and what I'm seeing in our cloud environment, and the top malware files that they use to exploit the system. So, I see a huge spike of the variation today in terms of people validating, can the same malware be bypassed in the EDR system? What kind of notes? TXT files, PE executable binaries that they actually used to bypass controls and get into environment. 

So I think to answer your question, one I would say, try to do a really good adversary emulation exercise in your own environment. Try to if you're a large, fairly mature security operations center, hopefully you have a dedicated malware analysis engineer, that cyber defense operator, that can run detections against your EDR network monitoring systems and your SIEM and see what kind of end data you could correlate around LockBit samples. That's step one. See and validate and run if they're indeed detecting it, because there's going to be really good detection rules that will be published as a result of this take down by CISA, NCA. And so definitely consume that knowledge up front. 

You're right, I would applaud the agencies kinda retaliation which was funny, right? Because LockBit was famous for publicly shaming its victims. And, I think it was a long time coming that we were able to exploit their vulnerability and their infrastructure, and then publicly shame, right? So you see this type of activity that can take place. It is really tit-for-tat, and continue to play the cat and mouse game.

PAUL ROBERTS
I think Operation Karma might've been better...

ALI KHAN
Right? Exactly. That would have been a great name for the operation. I agree. And so I think, from a cyber defense operations perspective, it'd be a fairly large, mature, enterprise SOC, right? And you have a dedicated threat hunting team, go through and run an adversary emulation exercise, advance file hashes, signatures, write samples, of known LockBit variants and see how your detection tools are actually, in terms of coverage. I think the second step if you're a medium sized organization, local county officials, the ones that really struggle with ransomware, unfortunately that could get leveraged. I think, try to work with your local managed security service provider, understand how they're using and consuming threat intelligence today for ransomware. 

The best approach is really having a ransomware readiness exercise for your organization. It doesn't cost much to get everyone in your security team and people who have privileged access, management accounts, anyone who has RDP installed, anyone who has privileged access to move laterally within the network and has network level access. Make sure those people are involved in a readiness exercise that is the most important thing you could do to actually understand which tools are working as expected. Are you actually following the process right for resiliency and response because the grounds of our gangs, once they get in, it's minutes, not hours, that they can actually bypass these controls. 

The more you start to understand how this progresses throughout your system, what attack techniques these samples actually leverage, the better you can understand how you can create a defense in depth strategy to mitigate these attacks. So I think, unfortunately, again, I'll go back to something people don't realize this internet experiment is about 25 years old. Ransomware capability is only about 5 to 7 years old when we talk about advanced capability. We are really at the infancy when we look at the larger period in terms of upscaling our people who are coming out of colleges, high schools. Upscaling existing staff on ransomware readiness from just training awareness, security awareness, to even basic mitigation like only use RDP in these scenarios and please notify your IT administrator when you need to enable it and then disable it. Doing inbound SMTP calls command line things, that could be really dangerous and give footholding. 

Look at your basic configuration and your environment. What are the tactics that are being used by ransomware gangs on LockBit? Even though this takedown is a great step for us as a collective defense industry, there are known ransomware gangs that have rebranded in the past after a takedown, so talk to your cyber insurer. I know the war exclusion act has been a big pain point for a lot of companies and how we're in these tense geopolitical times, but also talk to your cyber insurer, talk to your CIO, and your counterparts outside of security to understand, how do we prepare ourselves as an organization while our country and our government, the insurance industry is trying to catch up with this relatively new, extremely volatile and financially large impacting, right?

PAUL ROBERTS
Really good points. And I think, it's obviously important for people to realize, the LockBit, the infrastructure was taken down, the code was taken down, but the perpetrators, criminals themselves, are still at large, haven't been arrested. And as you said, with Conti, which rebranded as Black Basta and there've been other examples of this, doesn't take long for them to reform and be out there and back in business, usually under another name, but the risk from your standpoint as an organization, has it gone away? And the strategies and techniques that they use are going to be very similar in their next iteration, right? So the stuff that's going to keep you from getting compromised by LockBit is going to probably keep you from getting compromised by whatever LockBit becomes in its next iteration.

ALI KHAN
You know, having something like a simple ransomware focused intelligence feed, having that operationalizing your threat intel platform. Keeping in mind that attack vectors and mitigation through that is the best approach. Threat informed defense, meaning if your organization is likely susceptible after you do this readiness exercise to a ransomware attack, it's probably better you deploy a focused feed or focused intelligence around pivoting that, and resiliency plans around that specific attack vector.

PAUL ROBERTS
Ali Khan, Field CISO at ReversingLabs, thank you so much for coming in and speaking to us on ConversingLabs. We'll do this again. This is great, man.

ALI KHAN
Awesome. Thanks, Paul. Thanks for having me.