Global Law Enforcement Disrupts LockBit Ransomware Gang

Global law-enforcement authorities including the FBI have disrupted the activities of the formidable LockBit ransomware gang, taking control of its platform and seizing data associated with its global ransomware-as-a-service (RaaS) operation.

Information obtained by the operation — called Operation Cronos — includes source code, details of ransomware victims, stolen data, decryption keys, and the amount of money extorted by LockBit and affiliates, according to a message from authorities appearing to an affiliate logged onto the LockBit control panel. The news first broke Feb. 19 when a screenshot of that message was posted on the X (formerly Twitter) account of Vx-Underground, an online repository for malware source code, samples, and papers.

The message cited "Lockbitsupp [sic] and its flawed infrastructure" as the reason for the seizure and was signed by the FBI, the National Crime Agency (NCA) of the UK, Europol, and the Operation Cronos Law Enforcement Task Force.

The NCA later confirmed the law-enforcement activity in a press release published today, saying it has taken control of LockBit's primary administration environment and the group's public-facing leak site on the Dark Web. Affiliates used the former to build and carry out attacks, while the latter is where LockBit hosted and published (or threatened to publish) data stolen from victims.

"Instead, this site will now host a series of information exposing LockBit's capability and operations, which the NCA will be posting daily throughout the week," according to the release.

Authorities also have seized the LockBit platform's source code and a vast amount of intelligence from their systems about their activities and those who have worked with them, the NSA confirmed. They also obtained a thousand LockBit decryption keys and respective authorities will be in contact with victims to help them use the keys to recover data.

LockBit "Flaw" Used Against It

"LockBitSupp" is the threat actor/technical support service that runs the LockBit operation, using the Tor messaging service to communicate with affiliates. The account status of LockBitSupp on that service now shows a message stating that authorities breached the ransomware operation's servers using a PHP exploit, according to a published report.

The vulnerability used to compromise LockBit is tracked as CVE-2023-3824, a flaw present in PHP version 8.0 before 8.0.30,  8.1. before 8.1.22, and 8.2. before 8.2.8, according to Vx Underground. In vulnerable versions, reading PHAR directory entries during the loading of a PHAR file can result in "insufficient length checking" that can lead to a stack buffer overflow, which in turn can potentially lead to "memory corruption or RCE," according to the flaw's entry in NIST's National Vulnerability Database.

The NCA did not confirm how authorities breached LockBit's operations, but said that the technical infiltration and disruption "is only the beginning of a series of actions against LockBit and their affiliates." As part of the group effort, Eurpol also arrested two LockBit actors in Poland and Ukraine, while more than 200 cryptocurrency accounts linked to the group have been frozen.

RaaS Targeted by Law Enforcement

LockBit is arguably the world's largest RaaS operation, which has been rampantly pillaging organizations and their data through custom malware tools and a network of cybercriminal affiliates since it first appeared on the scene in 2019. Between 2020 and June of last year, the group extorted around $91 million across 1,700 cyberattacks in attacks against US organizations.

While initial LockBit victims were small and midsize companies, the group gained confidence over the years and began to target larger and more recognizable organizations. Some of its most recent victims included aviation manufacturer Boeing, sandwich maker Subway, Hyundai Motor Europe, and Bank of America, among others.

Because of the size and scope of its operation, LockBit has been in the crosshairs of global authorities for some time, and even before Operation Cronos some of the group's associates already had been been arrested.

In June of last year, the US Department of Justice arrested and charged a Russian national, Ruslan Magomedovich Astamirov, for his role as a LockBit affiliate in at least five attacks between August 2020 and March 2022. Astamirov was the third defendant charged by the DoJ in relation to the LockBit global ransomware campaign, and the second defendant to be apprehended.

CISA-Recommended Mitigations for Ransomware

While experts believe the law-enforcement actions will certainly slow the group's pace of attacks in the immediate future, they probably won't stop LockBit and its affiliates entirely from participating in ransomware activity — an assessment borne out by the resurgence of the BlackCat/AlphaV and Cl0p gangs after their dismantling.

"In time ... they will resurface, likely under a different name, with current members likely joining or establishing other successful gangs," Yossi Rachman, senior director, research at security firm Semperis, notes in an email to Dark Reading.

"That's why it's important for organizations to remain vigilant to avoid compromise by the group," he says. To this end, the Cybersecurity Infrastructure and Security (CISA) earlier this month released on its website a list of indicators of compromise (IOCs) of the group's ransomware as well as a series of mitigations (PDF) to reduce the risk of compromise.

Recommendations made by the agency include requiring all accounts with password logins to have strong, unique passwords that aren't reused across multiple accounts or stored on a system where an adversary may have access. Organizations also should require the use of multi-factor authentication (MFA) for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.

CISA also advised that organizations keep all operating systems and software up to date, prioritizing patching of known exploited vulnerabilities. Removing unnecessary access to administrative shares and/or restricting privileges also can thwart ransomware actors from accessing corporate systems.

Other recommendations made by the agency include the use of a host-based firewall that only allows connections to administrative shares via server message block (SMB) from a limited set of administrator machines, and the enablement of protected files in the Windows Operating System to prevent unauthorized changes to critical files.