The U.K. National Crime Agency’s Cyber Division, the FBI and international partners have cut off ransomware threat actors’ access to LockBit’s website, which has been used as a large ransomware-as-a-service storefront.
What is the LockBit ransomware group?
According to CISA, LockBit was the most common type of ransomware deployed globally in 2023. LockBit ransomware could be deployed through compromised website links, phishing, credential theft or other methods. LockBit targeted more than 2,000 victims since its first appearance in January 2020, for more than $120 million total in ransomware payments.
The gang ran ransomware-as-a-service websites like a legitimate business, offering a data leak blog, a bug bounty program to find vulnerabilities in the ransomware, and regular updates. Attackers known as “affiliates” would be provided ransomware from the LockBit sites.
SEE: IBM and ISC2 are offering a joint cybersecurity certification course for beginners. (TechRepublic)
LockBit ransomware has been deployed against organizations across various industries, in particular manufacturing, semiconductor fabrication and healthcare. In addition, attackers using LockBit have turned the ransomware on municipal targets, including the U.K.’s Royal Mail.
LockBit website shut down
On Feb. 20, the U.S. Department of Justice announced that an international law enforcement action shut down numerous websites the LockBit gang used to launch ransomware attacks. Law enforcement groups from the U.S., U.K., France, Germany, Switzerland, Japan, Australia, Sweden, Canada, the Netherlands, Finland and the European Union contributed to the seizure of the LockBit sites.
Five individual alleged LockBit members have been charged for “their participation in the LockBit conspiracy,” according to the press release.
“Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world,” wrote FBI Director Christopher A. Wray in the press release.
Is there a decryptor for LockBit?
The U.K. National Crime Agency and international partners created decryption capabilities that can unlock data held for ransom by LockBit. Organizations targeted by LockBit can submit a form to the FBI to see if the decryption technology might work for them.
“We are turning the tables on LockBit — providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe,” said Deputy Attorney General Lisa Monaco in the Department of Justice press release.
Threat actors’ responses to LockBit’s takedown
In the wake of the LockBit takedown, a team from cyber threat intelligence company Searchlight Cyber monitored Dark Web communication and found that some threat actors were unsure whether the LockBit site would be down forever.
“Even notorious actors (on the Dark Web forum XSS) known for their history of selling initial access to corporate networks – possibly even affiliates of the ransomware gang – were unsure if they should be concerned or not, not knowing to what extent the infrastructure of LockBit has been compromised,” said Vlad Mironescu, threat intelligence analyst at Searchlight Cyber, in an email provided to TechRepublic.
“We have also observed some threat actors actively blaming LockBit for bad operational security, among speculation that law enforcement agencies have leveraged vulnerabilities found in LockBit’s infrastructure to take the group down,” said Mironescu.
How to mitigate ransomware attacks
Follow cybersecurity best practices to reduce the risk of ransomware in your organization, including:
- Don’t click on suspicious links or suspicious emails.
- Keeping software and hardware updated.
- Backing up your data, including storing critical data offline.
- Applying the security principle of least privilege, giving users access only to what company data they need.
- Using strong spam filters and firewalls.
TechRepublic has reached out to the National Cybersecurity Alliance for more information about how organizations can protect against Lockbit and other ransomware.
