Lessons From the LockBit Takedown

Like most operators out there, we really enjoyed last month's news about international law enforcement disrupting LockBit, one of the world's most profitable ransomware gangs.

Ransomware has become a global problem over the past 10 years, with modern ransomware gangs effectively operating as complex businesses. Over the past year or so, multiple governments and private companies have collaborated to disrupt these gangs. The coordinating organizations involved in Operation Cronos used LockBit's own infrastructure to publish details about the gang's operations. For example, LockBit's leak site was used to publicize the takedown: arrests in multiple countries, decryption keys available, information about the actors, and so on. This tactic doesn't just serve to embarrass LockBit — it is also an effective warning to the gang's affiliates and to other ransomware gangs.

Screenshot of the LockBit leak site after post-takedown summarizing the activities law enforcement performed. (Source: Aaron Walton.)

This activity against LockBit represents a big win, but ransomware continues to be a significant problem, even from LockBit. To better fight against ransomware, the cybersecurity community needs to consider some lessons learned.

Never Trust Criminals

According to the UK's National Crime Agency (NCA), there were instances where a victim paid LockBit, but the gang did not delete the data from its servers as promised.

This isn't unusual, of course. Many ransomware gangs fail to do what they say they will, whether it's not providing a method of decrypting files or continuing to store stolen data (rather than deleting it).

This highlights one of the top risks of paying ransom: The victim is trusting a criminal to hold up their end of the bargain. Revealing that LockBit was not deleting the data as promised severely damages the group's reputation. Ransomware groups have to maintain an appearance of trustworthiness — otherwise, their victims have no reason to pay them.

It is important for organizations to prepare for these eventualities and have plans in place. Organizations should never assume decryption will be possible. Instead, they should prioritize the creation of thorough disaster-recovery plans and procedures in the event their data is compromised.

Share Information to Draw Connections

Law enforcement organizations, such as the United States' FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Secret Service, are always interested in attackers' tactics, tools, payments, and communication methods. These details can help them identify other victims targeted by the same attacker or an attacker using the same tactics or tools. Insight gathered include information on victims, financial losses, attack tactics, tools, communication methods, and payment demands, which, in turn, helps law enforcement agencies better understand ransomware groups. The information is also used when pressing charges against the criminals when they're caught. If law enforcement can see patterns in the techniques being used, it reveals a more complete picture of the criminal organization.

In the case of ransomware-as-a-service (RaaS), agencies employ a two-pronged attack: disrupt both the gang's administrative staff and its affiliates. The administrative staff is generally responsible for managing the data leak site, while the affiliates are responsible for deploying the ransomware and encrypting networks. The administrative staff enables criminals, and, without their removal, will continue to enable other criminals. The affiliates will work for other ransomware gangs if the administrative staff is disrupted.

Affiliates use infrastructure they have purchased or illegally accessed. Information about this infrastructure is exposed by their tools, network connections, and behaviors. Details about administrators are exposed through the ransom process: In order for the ransom process to happen, the administrator provides a communication method and a payment method.

While the significance may not appear immediately valuable to an organization, law enforcement and researchers are able to leverage these details to expose more about the criminals behind them. In the case of LockBit, law enforcement was able to use details from past incidents to plan disruption of the group's infrastructure and some affiliates. Without that information, gathered with the help of attack victims and allied agencies, Operation Cronos likely wouldn't have been possible.

It's important to note that organizations don't need to be victims to help. Governments are eager to work with private organizations. In the US, organizations can join the fight against ransomware by collaborating with CISA, which formed the Joint Cyber Defense Collaborative (JCDC) to build partnerships globally to share critical and timely information. The JCDC facilitates bidirectional information-sharing between government agencies and public organizations.

This collaboration helps both CISA and organizations stay on top of trends and identify attacker infrastructure. As the LockBit takedown demonstrates, this type of collaboration and information sharing can give law enforcement a critical leg up against even the most powerful attacker groups.

Present a United Front Against Ransomware

We can hope that other ransomware gangs take the action against LockBit as a warning. But in the meantime, let's continue to be diligent in securing and monitoring our own networks, sharing intel, and collaborating, because the threat of ransomware isn't over. Ransomware gangs benefit when their victims believe they are isolated — but when organizations and law enforcement agencies work hand in hand to share information, together they can stay one step ahead of their adversaries.