Is the LockBit brand finished or will the gang rise again?

11 Mar 2024

Image: © Yasin/Stock.adobe.com

The ransomware group managed to create a new website and relaunch its operations quickly, but a lack of action since then suggests the gang may be trying to hide how impacted it was by Operation Cronos.

It has been less than three weeks since the notorious LockBit ransomware gang was hit by a disruptive attack by international law enforcement groups, shaking up the digital criminal underworld.

An international task force led by the UK’s National Crime Agency (NCA) managed to beat the criminals at their own game, hacking the gang’s data leak website and gaining vast amounts of data on its operations and its affiliates. This was dubbed Operation Cronos.

LockBit rose to become one of the most prominent ransomware gangs in recent years and are suspected to be behind various high-profile cyberattacks. The gang also offers ransomware-as-a-service, providing its malware to other criminals to boost its income and reach.

The disruption appeared to leave the gang on the backfoot, but it isn’t finished as the group created new servers and claimed to launch fresh attacks roughly one week after Operation Cronos.

Things have been relatively quiet since then however, which has left some wondering if the gang will truly be able to resurrect itself, or if it will fade away after its embarrassing disruption.

Speed and resilience

One person who believes this isn’t the end of LockBit is Ricardo Villadiego, the founder and CEO of cybersecurity firm Lumu. Speaking to SiliconRepublic.com, he noted how quickly the ransomware gang was able to reset its operations and restart itself after Operation Cronos.

“It took them less than four days to be fully operational again,” Villadiego said. “And on 21 February they were operating on a backup site. So it’s definitely not the end.

“I think it definitely created some disruption but the business model from the ransomware gang’s point of view is just so attractive that they will continue to do what they know best, which is to execute these types of attacks and try to gain some profits from it.”

Villadiego still believes that the amount of data that was stolen from the ransomware gang was substantial, but added that gangs like LockBit are running a “sophisticated business” and that the speed of their recovery suggests they “clearly understand that law enforcement is a risk to their operations”.

“They are building the resilience capabilities that they have to build within their business model to ensure that their business continues,” Villadiego said. “It would be dumb to think that they did not have backups of that data.”

He also noted that law enforcement operations like Operation Cronos are different to physical operations – like a seizure of drugs from a cartel – as when physical objects are seized they are “gone for good”. But a cyberspace operation will seize “lines of code” that can be backed up or quickly remade.

Hiding the true damage?

But while the gang may be operational, there is evidence that some of its earlier operations were disrupted by Operation Cronos. A report by The Register claims the deadline for one of its victims to pay a ransom was reached but no data was published – suggesting the gang may have permanently lost the data it was threatening to leak.

This also suggests the gang is attempting to save face and hide how much damage it suffered from the law enforcement operation. A recent report by Bloomberg claims both LockBit and BlackCat – another notorious criminal gang – are in disarray from recent law enforcement operations.

The NCA claims to have gained lots of information on LockBit’s operations that could seriously hamper its future operations, including cryptocurrency wallets where the gang’s finances were stored and decryption keys to aid previous victims.

The agency also claims to have information on a network of 194 “affiliates” who work with LockBit and use its ransomware-as-a-service model. This disruption could impact the gang’s reputation and see criminals turn to rival ransomware providers instead.

The next big threat?

Law enforcement groups around the world have been ramping up their efforts to deal with the rising threat of ransomware groups, with reports suggesting that this criminal sector declined towards the end of 2023 as a result of these operations.

But the disruption or destruction of a gang like LockBit won’t be enough to deal with the threat of ransomware. Villadiego noted that the ransomware ecosystem is connected to other cybercrime operations, such as infostealers who covertly gather data on businesses and sell this information to other attackers.

Also, the loss of the LockBit brand would not mean an end to the criminals behind it. Stephen Robinson, a senior threat intelligence analyst at WithSecure, believes many members of LockBit are “protected against international law enforcement” thanks to them residing in Russia and Russia-aligned states.

“The [law enforcement agencies] have offered $15m bounties for information leading to the identification of leaders of the LockBit group – which could suggest that they don’t currently have that information,” Robinson said.

Mark Stockley, a Malwarebytes senior threat researcher, said last month that it is unlikely that the LockBit “brand” will survive the Operation Cronos disruption and predicted that it will either rebrand or disperse into other groups.

This type of move has been witnessed when previous cybercriminal groups got disrupted by law enforcement, such as the Conti ransomware group.

If LockBit falls, Villadiego says BlackCat could become the top name among ransomware gangs, but also noted that an up-and-comer form of ransomware has been spotted called Phobos – which is targeting critical infrastructure in the US.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com