Russia’s LockBit disrupted but not dead, hacking experts warn
Two arrests. Twenty-eight servers seized. And 1,000 decryption keys obtained that can help hacking victims worldwide get their data back.
The takedown announced Tuesday of the Russia-linked hacking gang LockBit, which by some estimates has been responsible for a quarter of all ransomware attacks, represents what law enforcement agencies in the UK, US and Europe described as one of the heaviest blows they’ve ever dealt against criminal hackers. It comes after a relentless surge of major attacks in recent months by LockBit and other groups, who have created a global scourge by extorting victims by locking up their computer systems with encryption software and stealing their sensitive data.
But the episode also highlights what those same authorities acknowledge is the never-ending nature of the fight against cybercrime. Even after hacking groups such as LockBit are dealt a devastating blow, they often quickly regroup and begin attacking again.
“We have not arrested everyone related to LockBit — this is a long-term process,” Graeme Biggar, director general of the UK’s National Crime Agency, said at a press conference in London. “What all of them know now is that we’re on to them, and they’ll be forever looking over their shoulders.”
The actions announced Tuesday include the arrest of two alleged LockBit members in Poland and Ukraine; the indictment in the US of two other alleged members, though they are located in Russia and unlikely to face extradition; the seizure of 28 servers and some 200 cryptocurrency accounts associated with the gang; and, most significantly for LockBit’s thousands of victims, the recovery of decryption keys which can now be used to unlock hijacked data.
Many cybersecurity experts praised the multinational efforts as expansive and aggressive, and an effort likely to deal a significant setback to a group that has become synonymous with the most disruptive and costly cyberattacks of recent years. However, some also warned that recent history of similar takedowns shows it’s not long before hackers are back on their feet.
“The Lockbit website disruption and takedown is likely one of the most significant cyber operations undertaken by law enforcement ever,” said Ed Dubrovsky, chief operating officer for Cypfer, a ransomware response and negotiations firm in Toronto, citing the arrests, the amount of data seized by law enforcement and the planned use of the decryption tools.