LockBit Ransomware Group Returns After Law Enforcement Operation – Source: securityboulevard.com

The LockBit ransomware group is swinging back days after U.S. and UK law enforcement agencies announced they had disrupted the operations of the prolific cybercrime gang, including seizing infrastructure and public-facing websites, grabbing decryption keys, and indicting two alleged members.

LockBit operators reportedly are back up on new infrastructure and with a new .onion address on the TOR network that lists as many as a dozen new victims listed on its leak site. At the same time, the LockBit administrator, in a lengthy message, admitted that some of the group’s servers had been hacked by the FBI but that they were still in operation and threatened to retaliate by targeted U.S. government sites.

Operation Cronos was the latest of such efforts by the U.S. Justice Department (DOJ), FBI, and international law enforcement to fight back against the growing ransomware threat by infiltrating groups’ infrastructure, seizing servers and domains, and getting or developing decryption keys to enable victims to regain control of their encrypted data. Previous initiatives targeted such groups as Hive and BlackCat, also known as ALPHV.

The operation against LockBit targeted a ransomware-as-a-service (RaaS) group and its affiliates that the DOJ said were responsible for more than 2,000 attacks worldwide since January 2020, collecting more than $144 million in ransom payments. The DOJ also is offering rewards of  up to $10 million for information about the group’s leaders.

Administrator Admits to Laziness

The LockBit administrator in the message said FBI likely was able to take down some of the group’s servers by exploiting systems that were running unpatched versions of PHP and were vulnerable to the CVE-2023-3824 remote code execution (RCE) flaw, though they added it also could have been a zero-day bug.

Still, they admitted to being lazy, adding that due to “personal negligence and irresponsibility I relaxed and did not update PHP in time.”

They also warned that other ransomware groups running similarly unpatched servers may also have been compromised by law enforcement agencies.

Rebuilding Infrastructure and Reputation

Throughout the at-times rambling message, the administrator looked to bolster the group’s capabilities and reputation while downplaying the effect of the operation. The ransomware space is highly competitive, particularly as it evolves to a more RaaS model, with groups not only using its own malware but also licensing it out to affiliates, who run their own attacks with it and share the ill-gotten gains with the ransomware developers.

If one ransomware group goes down, affiliates can always find others to attach themselves to.

“All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped,” the administrator wrote.

The Fulton Country Attack

They also speculated that the law enforcement agencies targeted LockBit at this time because of the January attack on Fulton Country, Georgia, government offices. The county District Attorney’s Office is preparing to put former president Donald Trump and several other defendants on trial for fraud and other crimes allegedly committed after the 2020 election.

According to the message, “the stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election. … Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates.”

Cybersecurity expert Chris Krebs wrote that the law enforcement came just as LockBit was preparing to release data stolen from Fulton Country and that the group now says it will public the data March 2 if a ransom isn’t paid.

Law enforcement agencies often will infiltrate ransomware networks and collect information rather than announce their hacks, the administrator wrote. That means LockBit needs to ramp up its attacks U.S. government agencies to force the FBI to show how it had infiltrated the operation and allow the group to shore up weaknesses and vulnerabilities.

“By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not,” they wrote.

Making Adjustments

The administrator admitted that the FBI in its operation seized a database, web panel sources, locker stubs, and the decryption keys, although they added that the 1,000 claimed by the DOJ were a fraction of the almost 20,000 on the servers and that most were protected. That is half of the 40,000 or so that had been created since the LockBit ransomware hit the scene.

Among the changes the administrator claims they will make in the aftermath of Operation Cronos include ensuring there no longer will be automatic trial encryptions. Instead, all trial decryptions and the issuing of decryptors will be done manually.

In addition, the LockBit group will change how it operates its affiliate panels. The administrator said the more significant law enforcement threat coming out of the infiltration was to the source code of the affiliate panel, which at the time listed all affiliates. Instead, the panel will be spread among multiple servers.

“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced,” the administrator wrote.

There’s Always an Impact

Drew Schmitt, a ransomware negotiator for GuidePoint Security, told SecurityBoulevard that while law enforcement efforts like Operation Cronos may not completely shut down a ransomware group like LockBit, there is an impact.

“It shows these groups that they are not untouchable,” Schmitt said. “Takedowns to the level that we are seeing with Lockbit are very impactful to groups, and although they may not completely disappear, they are definitely feeling the pressure and impacts right now.”

Dismantling such a group isn’t easy. They often use security measures that including a heavily decentralized infrastructure – the LockBit administrator noted efforts to increase decentralization – and steps to hide identities, such as using the TOR system. In addition, even if law enforcement uncovers perpetrators’ identities, the countries in which they live may not want to arrest them or stop the illegal activity, he said.

Also, the RaaS model means more affiliates within the group, so the core ransomware developers and owners have to be taken down in addition to the myriad affiliates for a ransomware operation to be dismantled with little opportunity for a splinter or rebrand to occur.

With LockBit, the FBI and other agencies put a particular emphasis on the affiliate structure and highlighting intelligence gather about affiliates, Schmitt said.

“This is one of the first large-scale examples that we have seen where law enforcement is focusing on the affiliate structure which will hopefully destabilize how cybercriminals think about the affiliate structure within RaaS groups,” he said.