Learning from the LockBit takedown

An international law enforcement task force comprising agencies from 10 countries including Australia and Japan has announced the successful takedown of the LockBit ransomware gang.

Operation Cronos, led by UK and US authorities, seized the darknet sites run by LockBit, the infamous and prolific ransomware group that claimed more than 2000 victims worldwide and extorted more than US$120 million in ransom payments.

For the past four years, the LockBit gang has sown fear among enterprises and governments worldwide and contributed to a large share of ransomware attacks. An Akamai research report from 2023 highlights that LockBit influenced the ransomware scene by claiming 39% of the total ransomware victims (1091 victims) and more than triple the number of the second-highest ranked ransomware gang.

Since January 2020, LockBit was responsible for hundreds of attacks in the Asia–Pacific region, targeting organisations across financial services, critical infrastructure, agriculture, education and government. It shut down the largest port in Japan at Nagoya for two days, which is used by Japan’s largest car manufacturers. In a similar fashion, LockBit encrypted the IT systems of the biggest port in Australia, disrupting its operations. The impact was so grave that LockBit apologised for the attack and provided the decryptor keys to restore service. The group also recruited low-tech hackers with its ransomware-as-a-service tool, which amplified the scale, reach and damage caused by their LockBit signature ransomware attacks.

LockBit took pride in shaming those who refused to pay the ransom by leaking their sensitive data for all to see.

The operation was not without its drama. LockBit’s infamous leader, lockBitSupp, trolled operation Cronos and complained about the lack of bounty on his head. He even offered a US$10 million bounty on himself to unmask his identity. LockbitSupp’s true identity for now remains a mystery.

Authorities are also taking a page out of the LockBit gang’s media savviness to communicate their attacks and shame their victims. They named their operation Cronos and shared an hourly countdown to the announcement of LockBit’s takedown. The once darknet sites that were leaking customer data are now sharing the decryptor keys for those who stood against extortion and refused to pay the ransom. The Japanese Police, supported by Europol, developed a decryption tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

Authorities intended to send a clear message to all ransomware gangs that they can no longer hide behind Tor to evade surveillance in the dark web and that they will be held accountable for their actions.

Prevention is better than recovery

This was a bold takedown marked by the collaboration of authorities across many countries. However, relying on multinational task forces to take down ransomware gangs and recover decryptor keys is not an effective security strategy. Prevention is better than recovery.

Ransomware gangs are nimble and a variant of the LockBit gang could fill the void and soon take over with even more damaging tools. Let’s keep in mind the attempted takedown of another prolific ransomware group, Blackcat/APHV, which ‘unseized’ its dark web site hours after it was seized by the FBI. In a back-and-forth with the authorities, the group posted the image of a black cat and a banner declaring, “THIS WEBSITE HAS BEEN UNSEIZED.” The gang is still at large and the US State Department is offering an up to US$10 million bounty for information on the group’s leaders. The ransomware gangs are learning and will adapt to the tools and techniques used by the authorities.

The most effective security strategy is to prevent attackers from accessing and encrypting the data on critical servers and to have backup in the event that they are able to breach an environment. Now is the time for organisations to reassess the state of their security postures. A thorough understanding of attack surfaces, along with strong processes and playbooks to prevent and recover from ransomware attacks, is essential.

Implementing a zero trust architecture starting with software defined microsegmentation to prevent lateral movement post breach is critical. Full network visibility to identify indicators of compromise (IoCs) will enable a more offensive posture against ransomware attacks and allow compliance with local cybersecurity regulations. It's time to shut down ransomware by implementing a security solution at each point of the ransomware kill chain.

Top image credit: iStock.com/Iván Jesús Cruz Civieta