LockBit gets Locked Out: Everything You Need to Know Simplified!

There’s finally some Good News from the world of cybersecurity! After reams and reams of news about cyber criminals succeeding at extorting, infiltrating and disrupting businesses across the world, Operations Cronos has given the cybersecurity community something to rejoice over! It has managed to disrupt one of the world's largest and most dangerous Ransomware gangs - LockBit!

The UK’s National Crime Agency (NCA), working in cohorts with the FBI and International Law Enforcement task force, has taken control of the LockBit website and disrupted the ransomware gang’s operations. While the official statement from Law Enforcement agencies said that the operation was an “ongoing and developing” one, it’s certainly something to rejoice over. 

Here's a look at what information has emerged about this successful operation so far and some key facts about LockBit that you should know! 

LockBit locked Out: What we Know so Far

We've summarised what is known in the public domain about the seizure of LockBit and simplified it here for you!  

1. UK’s NCA has seized control and command of the LockBit website in a coordinated international operation called Cronos. 
2. The operation seized 28 LockBit servers in 3 countries along with the world’s largest ransomware gang’s source code. 
3. StealBit, LockBit’s custom data filtration tool, has also allegedly been obtained by the UK NCA.  
4. Data from the LockBit site is a treasure trove of information on hackers. Four arrests have already been made at the time of publishing this blog. Two arrests were made in Poland and Ukraine and two other supposed affiliates were charged in the US. 
5. The disruption campaign has also led to seizure of almost 200 cryptocurrency accounts linked to LockBit. 
   
6. Apart from just disrupting the LockBit infrastructure, one of the main motives of the law enforcement agencies was to shatter the brand and reputation of LockBit. The success of the operation has crushed the credibility of LockBit that was heavily dependent on the anonymity the group was able to maintain. 
7. Sowing seeds of doubt amongst LockBit affiliates was critical to this mission. The message that the International operation wanted to send to cyber criminals was that working with LockBit is not as safe as they assumed it was. 
8. The public exposure by Cronos of LockBit’s nefarious activities is likely to prevent a quick return of the group’s operations in full swing.  
9. While LockBit made many of its victims pay a ransom in exchange for not leaking their data, the NCA has said that it found data of many LockBit victims who had paid up on the recently-seized website. This reiterates the message - Never, ever pay ransom!  
10. Operation Cronos has also managed to recover over a 1,000 decryption keys earmarked for specific LockBit targets. UK Law Enforcement will apparently be in touch with the victims and help them recover their data. 
11. Agencies from 11 different countries including Germany, France, Japan, Australia, New Zealand and Canada, as well as Europol have been part of this massive mission to bring down LockBit. 
12. Operation Cronos has apparently been underway for a while before the public announcement was made this week. 
13. This is the third major disruption of a ransomware gang by international law enforcement efforts in the last year. In June 2023, the FBI hacked into Hive Ransomware’s infrastructure and in December last year, it disrupted operations of BlackCat/ALPHV ransomware gang. 

Key Facts about LockBit  

1. LockBit’s name is enough to send shudders down the spine of anyone who knows anything about cybersecurity. The gang has been behind thousands of crippling ransomware attacks since 2019. 
2. Some of the major victims of the LockBit operation and its affiliates have been names like UK’s Royal Mail, National Health Service, Boeing, China’s largest bank, ICBC .  
3. LockBit was amongst the pioneers of the Ransomware-as-a-Service model which made ransomware attacks as ubiquitous as the M of McDonalds. It remains the most prolific seller of ransomware services. 
4. It outsourced its ransomware targets and tools to affiliates and charged them a commission on ransom payments. 
5. The head of the NCA, Graeme Biggar, said in a press conference that the ransomware group was estimated to be responsible for 25% of ransomware attacks in the last year.
6. LockBit is allegedly run by Russian speakers and thus does not attack Soviet Nations. 
7. Due to the fact that LockBit is supposedly based out of Russia, no direct arrests can be made. Disruption remains the only way to throw a spanner in the works for LockBit. 
8. The Department of Justice has said in its statement that LockBit has targeted over 2000 victims and has received over $120 million in ransom payments. 

Our Views

Yes, it's certainly a cause for celebration that one of the most formidable ransomware gangs in the world has been disrupted by International Law Enforcement agencies. But the agencies themselves have hinted in many statements that this isn't the end of LockBit. It's a major disruption in their operations and a big, big dampener on their reputation but they will try everything to be active soon again.  

The last word? Ransomware isn't going anywhere. It's great news that law enforcement is able to crack down on large ransomware groups, but we must remain perennially vigilant in order to protect our organisations from this scourge. 

Prioritise Ransomware Prevention and Ransomware Mitigation. Get your Ransomware Incident Response Playbook and Cyber Incident Response Plans in order and fit to combat this global threat. 

It is also imperative to regularly test how resilient your organisation is against the ransomware attacks through regular Cyber Crisis Tabletop Exercises. Use our comprehensive list of Cyber Tabletop Exercise Scenarios if you can't hire an expert external facilitator for your cyber drill immediately.  

Finally, enlist the help of expert cybersecurity consultants to build your maturity and resilience against ransomware attacks over time. Our Virtual Cyber Assistant service is the most unique, affordable and flexible service you'll find. You can access the deep expertise of highly experienced cybersecurity practitioners at a fraction of the cost of traditional consultancies. They can help you assess and review your current ransomware attack readiness, identify gaps and assist you in the most efficient ways to bolster your defences against the #1 cybersecurity threat in the world.