LockBit Restores Operations Following Law Enforcement Takedown

Date:

February 26, 2024

World map

LockBit, the most prolific of all the Ransomware-as-a-Service (RaaS) gangs, announced it has restored operations after spinning up new attack infrastructure just days after a highly publicized law enforcement takedown.

Authorities disrupted LockBit’s infrastructure on February 19, but the group said they are back in action less than a week later, vowing to increase attacks against the public sector as retribution.

“LockBit announced it was resuming the ransomware business and released damage control communication admitting that ‘personal negligence and irresponsibility’ led to law enforcement disrupting its activity in Operation Cronos,” Bleeping Coputer reports.

“During Operation Cronos, authorities collected more than 1,000 decryption keys. LockBit claims that the police obtained the keys from ‘unprotected decryptors’ and that on the server there were almost 20,000 decryptors, about half of the approximately 40,000 generated over the entire life of the operation.”

Takeaway: "Law enforcement actions and government sanctions against ransomware operators are necessary, but even if these threat actors are arrested or their operations disrupted, there will quickly be another to take their place," Jon Miller, CEO and co-founder of anti-ransomware provider Halcyon told CPO Magazine.

"While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall, law enforcement has had little impact on disrupting ransomware operations. LockBit quickly bounced back from law enforcement’s takedown of its dark web last week. In one weekend, they were able to generate a new leak site."

"This takedown, along with LockBit’s response, is incredibly revealing about what law enforcement actions can and can’t do against these well-organized and well-funded ransomware operations. LockBit is particularly hard to crack because they’ve been active since 2019 and are highly adept at security tool evasion, as well as boasting an extremely fast encryption speed," Miller explained.

"LockBit employs publicly available file-sharing services and a custom tool dubbed Stealbit for data exfiltration. The group was, by far, the most active ransomware operation in 2022 and 2023, and proved they follow through on threats, having exposed a large amount of exfiltrated Boeing data in Q4-2023.”  

LockBit employs a custom Salsa20 algorithm to encrypt files. LockBit takes advantage of remote desktop protocol (RDP) exploitation for most infections, and spreads on the network by way of Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.  

LockBit appears to also still be supporting the older LockBit 2.0 variant from 2021, where the encryptor used is LockBit 2.0 but the victim is named on the LockBit 3.0 leak site. In Q4-2023, LockBit operators were observed frequently exploiting the Citrix Bleed vulnerability (CVE 2023-4966).  

Notable victims include Boeing, SpaceX, Shakey's Pizza, Banco De Venezuela, GP Global, Kuwait Ministry of Commerce, MCNA Dental, Bank of Brazilia, Endtrust, Bridgestone Americas, Royal Mail.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.