A sprawling operation by an international consortium of law enforcement agencies has seized the infrastructure and website of the notorious LockBit ransomware group. Over the last five years the seemingly untouchable purveyor of ransomware-as-a-service rapidly grew into one of the most prolific hacking enterprises in the dark web ecosystem infiltrating governments, businesses and medical facilities worldwide. But is LockBit back? Has it returned with a new leak site while cyber sleuths troll the group and its administrator in the language of its trade?

1. Introduction

On February 19, 2024, James Pearson reported for Reuters that the notorious cyber crew LockBit had been disrupted by an international law enforcement task force dubbed Operation Cronos. (here) Led by Britain’s National Crime Agency, the U.S. Federal Bureau of Investigation and Europol, the coalition included France’s Gendarmerie Nationale Cyberspace Command, Japan’s National Police Agency and the Royal Canadian Mounted Police. Described by cybersecurity strategist Jon DiMaggio as “the Walmart of ransomware groups”, the United States has claimed that LockBit targeted over 2,000 victims and received more than $120 million in ransom payments. In a press release the next day, the U.S. Department of Justice said the enforcement action disrupted LockBit’s operations by seizing websites used to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators. (here) According to U.S. Attorney General Merrick Garland, keys from the seized infrastructure were also obtained to help victims decrypt their systems and regain access to their data.

2. Background

On February 20, 2024, Britain’s National Crime Agency posted an announcement to its website stating it had taken control of LockBit’s primary administration environment and the group’s leak site on the dark web. (here) The site will now host a series of NCA bulletins exposing LockBit’s capability and operations to be posted daily throughout the week. Over the preceding twelve hours the group’s infrastructure, based in three countries, was seized by Operation Cronos and 28 servers belonging to LockBit affiliates were also taken down. A statement on Operation Cronos issued by Europol said the infiltration over a span of months resulted in the compromise of LockBit’s primary platform including the takedown of 34 servers in The Netherlands, Germany, Finland, France, Switzerland, Australia, Britain and the United States. Europol said two LockBit actors were arrested in Poland and Ukraine at the request of French judicial authorities but no further information has been released about who was detained. (here)

3. What is LockBit?

The LockBit ransomware variant operates on the ransomware-as-a-service (RaaS) model in which administrators design the ransomware, recruit affiliates to deploy it and maintain an online software dashboard called a “control panel” to provide affiliates with the tools to deploy LockBit. Affiliates, in turn, identify and access vulnerable computer systems through their own hacking or by purchasing stolen access credentials. Using the control panel operated by the developers, affiliates then deploy LockBit within the targeted computer system allowing them to encrypt and steal data. A ransom is then demanded to decrypt or avoid publication on a public website, often called a data leak site, maintained by the LockBit developers. Last year, Catharine Tunney reported for CBC News, Canada’s national broadcaster, that Communications Security Establishment issued a threat report stating LockBit was responsible for 22% of ransomware attacks in Canada and would pose an “enduring threat” to Canadian organizations. (here)

4. The Indictments

On February 20, 2024, the U.S. justice department simultaneously unsealed an indictment in the United States District Court, District of New Jersey, charging Russian nationals Artur Sungatov and Ivan Kondratyev with conspiracy to damage a protected computer and commit extortion. The indictment follows the one previously unsealed charging Russian-Canadian national Mikhail Vasiliev with conspiracy which I discussed in a previous post to On The Wire. (here) In a post to Krebs on Security titled Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates, investigative journalist Brian Krebs said a total of five LockBit affiliates have now been charged. (here)

The indictment in the U.S. District Court, District of New Jersey, charges Mr. Sungatov and Mr. Kondratyev, also known as “Bassterlord”, with deploying LockBit against targets in the United States including businesses in the manufacturing sector. (here) A prior indictment in the U.S. District Court for the Northern District of California in Oakland was also unsealed. That indictment charges Mr. Kondratiev with deploying ransomware against a target in California. (here) I will focus my following comments on the the New Jersey indictment which alleges that the goal of the conspiracy was to enrich Mr. Sungatov and Mr. Kondratyev by: (a) deploying the LockBit ransomware variant, maintaining LockBit infrastructure and hacking targeted computer systems; (b) demanding ransom payments from targets following successful attacks; and, (c) extorting non-compliant targets by posting their stolen data on the internet through a website known as a “leak site”. Here are the key allegations about the manner and means of the conspiracy.

• The LockBit conspiracy operates through the “ransomware-as-a-service” model, or “RaaS”. The RaaS model involves two related groups of ransomware perpetrators: developers and affiliates. The developers design the ransomware code itself, much as a software company would, and maintain the infrastructure, such as servers, on which LockBit operates. The developers then recruit and market their ransomware product to affiliates, who actually deploy the ransomware product designed by the developers.
• The LockBit ransomware variant relies on a “control panel” for its operation. In the ransomware context, a “control panel” is a software dashboard made available to an affiliate by the developers to both provide that affiliate with tools necessary for the deployment of ransomware attacks and to allow developers to monitor their affiliates’ activities. The LockBit control panel allowed affiliates to […] develop custom builds of the LockBit ransomware for particular victims, communicate with LockBit victims for ransom negotiation, and publish data stolen from LockBit victims to the LockBit Data Leak Site.
• Much of the LockBit infrastructure, including the various LockBit control panels and the LockBit Data Leak Site, were hosted on the dark web. The “dark web” comprises Internet content that requires specialized software or configurations to access and is intended for anonymous and untraceable online communication.
• Once a new affiliate joined the LockBit ransomware conspiracy, that affiliate was given their own control panel hosted at a unique domain name on the dark web. [Clause 5(a)-(d)]

A LockBit attack would typically begin with affiliates gaining unauthorized access to vulnerable computer systems through hacking, network penetration techniques and the use of stolen access credentials purchased from third parties. Affiliates then deploy LockBit within the targeted computer systems allowing documents and data to be exfiltrated and encrypted on the targeted computer systems. Affiliates then leave behind a ransom note providing instructions on how to contact the affiliate and a threat to publish the stolen data and leave the victim’s data encrypted and inaccessible. Affiliates usually demand payment in Bitcoin. If the victim agrees to make the payment, the affiliate usually sends the victim a Bitcoin address. The developer would typically receive 20% of the ransom payment and the affiliate would receive 80%.

5. Conclusion

On February 26, 2024, Mr. Pearson reported that LockBit has claimed its servers have been restored and it’s back in business. (here) In a statement described as rambling and verbose, the crew said Operation Cronos hacked its dark web site using a vulnerability in the PHP programming language which is widely used to build websites and online applications. “All other servers with backup blogs that did not have PHP installed are unaffected,” the statement said in English and Russian on a new version of LockBit’s site. LockBit’s administrator, known by the moniker “LockBitSupp”, threatened to retaliate by targeting the government sector. On the same day, Carly Page reported for TechCrunch that the NCA replied to the threat stating LockBit remains “completely compromised”. The NCA has not revealed LockBitSupp’s identity but ratcheted up the taunting. “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with law enforcement,” the NCA said. (here)

In a piece titled A Global Police Operation Just Took Down the Notorious LockBit Ransomware Gang published by WIRED on February 20, 2024, security writer Matt Burgess argued that, while the LockBit takedown is significant, it may be temporary. (here) Ransomware groups dismantled by law enforcement often resurface as a new brand and move on with new hacking campaigns. They are resilient and persistent. “Disruption of the LockBit ransomware service would seriously slow down the number of ransomware attacks, even though it might be temporary,” said Allan Liska of the cybersecurity firm Recorded Future. At least, as Mr. Burgess concluded, the takedown is, “likely to send a message to LockBit’s affiliates and act as a sign that the group’s brand is tainted.”