“This is a big player, the most active ransomware group, taken down in a big way”
The takedown of LockBit ransomware not only puts that group’s future in jeopardy, it teaches all of us some valuable lessons
In the long distant past, when I wasn’t even three decades old, I was a hacker. To be precise, I explored online networks without permission, being very careful indeed not to break them, in order to learn more about the emerging connected world.
What I didn’t do was think it would be an excellent opportunity to steal data or blackmail people using whatever I might have stumbled upon. It would never in a million years have occurred to me to go and try to take a hospital offline or grab a load of patient data before locking down the original until half a tonne of cryptocurrency was sent in my direction. But then I am not, and never have been, a profit-driven arsehole who doesn’t care about the harm they cause or to whom that harm is caused.
Criminals who target hospitals are the scum of the earth.
The same can be said for cybercriminals who partake in ransomware attacks. These scumbags really are the lowest of the low. As someone with complex health issues myself, I know only too well how hard everyone who cares for me works, many with very little reward in terms of their salary.
As I write, around 100 hospitals in Romania are recovering from the impact of a ransomware attack against a supplier that delivers managed IT systems to healthcare using the Hipocrate platform.
Some ransomware groups have tried to take the moral high ground – oh, the absolute irony – by saying their “rules” forbid associates from attacking healthcare targets. Yet most of these have also downed hospitals or clinics, crying about collateral damage or rogue associates when the law enforcement pressure is upped, and the media paints them for what they actually are.
Some, such as LockBit, do “allow” for attacks against healthcare and pharmaceutical targets, but on the basis that – can I say “oh, the irony” again? – the attack must not endanger life. Any attack that prevents or delays treatment, be that medical, surgical or pharmaceutical in nature, endangers life. Simple as. Although the criminal group behind the Romanian attack has remained unnamed at the time of writing, it’s clear that it knew exactly who it was attacking. Some 25 hospitals were impacted directly by the ransomware, while another 79 took their systems offline as a precautionary measure while investigations into the attack continued.
Unusually, the Romanian ransomware attack doesn’t appear to have exfiltrated any data. It’s unusual as this is the most common route that attackers take these days, holding destruction, publication or sale of that data to ransom. The ransom demand of around $100,000 in
Bitcoin is also unusual in that it’s on the low side, to say the least, for such an attack. All of which suggests to me that this could be a relatively new ransomware group.
Whatever, I hope it suffers the same fate as the aforementioned LockBit gang, whose infrastructure has been seized in a joint operation led by the UK’s National Crime Agency with cooperation from the FBI and Europol.
LockBit gang down, but will they stay out?
Operation Cronos has been successful in taking control of LockBit’s infrastructure and, importantly, data behind the group’s data leak site. I must admit that I did chuckle and raise a glass to the NCA operatives who replaced LockBit’s data leak site information with a superb trolling display of member arrests, links to decryption keys and an offer of $10 million on the head of the group’s admin. But, more seriously, this is a big player, the most active ransomware group for the past two years running, taken down in a big way. I’ve been speaking to members of the security community and it’s worth reading what they have to say as it’s very on point.
Let’s start with Chester Wisniewski, director and field CTO at Sophos. “The work of the UK’s National Crime Agency (NCA) and their international partners has delivered a severe blow to the world’s most prolific criminal ransomware syndicate,” he told me. “This is the most insight we have gained into how these groups operate since Conti’s implosion in May of 2022.
The decentralised nature of these groups makes them particularly difficult to track down.”
Wisniewski also said that law enforcement has acquired access to the encryption keys used to lock up victims’ files and will provide them to help with recovery. Unsurprisingly, and it’s something I’ve been warning
“Any attack that prevents or delays treatment endangers life. Simple as”
organisations about for the longest time, Wisniewski went on to say that the exfiltrated data of those who paid a ransom to have it deleted – so it supposedly couldn’t be published or sold in future – wasn’t actually deleted at all.
Wisniewski doesn’t, however, expect LockBit “to make a triumphant return”. Instead, he points to those that have been disrupted before and rebranded “under different banners to continue their ransacking of innocent victims’ networks and take on name identities to evade sanctions”.
Mark Stockley, senior threat researcher at Malwarebytes, also considers the “unanswered question” of “how much of LockBit group is left intact, and what they will do next”. Like Wisniewski, he doesn’t see the LockBit brand surviving as is. “I expect it will either rebrand or disperse into other groups in the way that Conti did. But will anyone want to work with them?”
Perhaps the most important consequence of the NCA takedown is the message it sends. “LockBit is the 800lb gorilla in the ransomware world,” Stockley said. “If law enforcement can tackle LockBit, they can tackle any group. This won’t stop ransomware, but every ransomware group is going to look over its shoulder and wonder if law enforcement has already infiltrated them, or any other groups they work with.”
However, as Adam Marré, CISO at Arctic Wolf and a former FBI agent investigating cybercrime, warned: “Last year Arctic Wolf identified how the new ransomware group Akira had risen from the fallout of the Conti ransomware in 2022. Given the dispersed nature of
LockBit, it is also likely [that] threat actors who aren’t involved in any follow-up arrests will still make use of the existing infrastructure not affected by this activity.”
I also thought it was interesting that it would appear LockBit was taken down by law enforcement agents infiltrating their networks using a known vulnerability in the same way that LockBit associates infiltrate their victims.
“Operation Cronos gave LockBit operators a taste of their own medicine,” Huseyin Can Yuceel, a security researcher at Picus Security, said. “According to LockBit admins, the law enforcement agencies exploited CVE-2023-3824, a PHP vulnerability, to compromise LockBit’s public-facing servers and gain access to LockBit source code, internal chat, victims’ details and stolen data.” This has been picked up by contributors to some of the dark web’s Russianlanguage criminal forums, where other threat actors have spoken of the bad operational security from LockBit that allowed an unpatched vulnerability to take them down in such a high-profile operation.
But wait, there’s more. Over to Brian Higgins, a security specialist at Comparitech. “It’s a win for the good guys, but it’s no reason to let down your guard or cut your budgets,” he said. “The best thing to do is follow the story, read all of the press releases and reports to find out how you can use any publicly released intel to target-harden your organisation or business, and learn from the methodologies and protections that may come to light.”
Ryan McConechy, CTO of Barrier Networks, concludes that this should involve “training on threats, implementing MFA to secure employee credentials, keeping systems up to date with patches, and getting a well-oiled and comprehensive incident response plan in place, so everyone can step straight into effective action, even when attacks do occur”.
Ransomware-as-a-service model remains atop the criminal strategic tree
LockBit operated on what is known as a ransomware-as-a-service (RaaS) model. This is a modus operandi that has become dominant in the world of ransomware groups as it leaves the creators of the ransomware software, the cyber-kingpins if you like, a few steps removed from those actually undertaking the attacks.
By using affiliates or associates, recruited through criminal dark web forums and usually highly vetted before acceptance, the creators hope to separate themselves from the dirty work and reap the rewards.
Well, some of the rewards: the affiliates often get the lion’s share of any ransom paid.
The affiliates get access to the ransomware malware, which the main group maintains and evolves, as well as a control panel that can include additional methods of applying pressure on victims, such as the publication of stolen data to the “official” leak site and launching denial of service attacks. These affiliates often employ the use of third parties themselves, notably initial access brokers, to purchase details of organisations with known vulnerabilities that can be exploited or which have already been compromised with stealth malware.
Brian Boyd, head of technical delivery at i-confidential, says that “ransomware-as-a-service means targeting smaller organisations with smaller ransoms can become a force multiplier”. It also means that attacks can be carried out with relative ease. “Criminals have box-packed tools that make it easier than ever for novice criminals to launch devastating attacks,” said Boyd, adding that organisations of all sizes should boost their defences against ransomware. “Otherwise, with the prevalence of RaaS models, we could be seeing even higher numbers in the year ahead.”
Dr Evil does ransomware
Sticking with the ransomware theme, a fascinating report came my way courtesy of Chainalysis,
“Operation Cronos gave LockBit operators a taste of their own medicine”
namely the Crypto Crime Report for 2024 ( tinyurl.com/356chain).
Now, ordinarily, anything that mentions cryptocurrency raises red flags for me as it’s often yet another over-hyped marketing fluff job in disguise. But this one was different: it had substance, and it looked at cryptocurrency payments received by ransomware groups.
Two headline statements stood out for me: that 2023 was the worst year on record when it came to the amount of crypto payments paid to ransomware groups; and that the total amount broke $1 billion for the first time. I feel like I should have my pinky finger on my lip, Dr Evil style, as I type this, but yes, you read that right, one billion dollars in just one year.
To put this into context, in 2022 Chainalysis reported a figure of $567 million in ransomware payments, largely down to the success of law enforcement takedowns. In 2021, for example, the number had drawn perilously close to the billion at $983 million. What impact the LockBit takedown will have on the 2024 totals remains to be seen, but 2022 apart the trend has been upward since 2019.
The report looks to big-game hunting groups as the reason for the rise in overall ransom payments, with Cl0p and LockBit (and others) taking down some very big names with very big, multi-million-dollar ransoms as a result. Sure, as Brian Boyd mentions, these trophy targets are not the be-all and end-all of ransomware, and smaller organisations can’t afford to let their guard down, but groups carrying out such attacks are looking to maximise profit and minimise risk. The fewer the targets, the lower the risk of getting caught.
However, the flip side of this particular criminal coin is that by going for bigger targets, there are more resources poured into hunting down the perpetrators. As the report states, one thing is for sure: “Overall, big-game hunting has become the dominant strategy over the last few years, with a bigger and bigger share of all ransomware payment volume being made up of payments of $1 million or more.”