LockBit down but far from out
This week, we saw a high-profile takedown of the LockBit ransomware group. Or at least, that’s what you’d be forgiven for thinking, given the media coverage of Operation Cronos. More accurately, we have witnessed the disruption of the world’s most prolific ransomware group, with the takedown of some of its infrastructure and access to critical data including some encryption keys.
Two alleged members of the group have been arrested, but the criminal kingpin – who goes by the name of LockBitSupp – remains at large, albeit with a multi-million dollar bounty on their head.
Many cybersecurity experts have pointed out that disruption isn’t the same as destruction and warned that it’s unlikely this will be the end of the road for LockBit.
Operation Cronos, led by the UK’s National Crime Agency with FBI assistance, has undoubtedly been a success worth applauding. Indeed, the NCA went so far as to troll the LockBit criminals, replacing information about victims on the LockBit dark web leak site with wanted posters and news about arrests and the operation itself.
Unfortunately, it’s way too early to celebrate the death of LockBit, as high-profile ransomware groups have a habit of rising phoenix-like from the ashes of law enforcement takedowns.
LockBit will be reborn
It’s worth remembering that LockBit itself was born out of other groups.
According to an analysis from Flashpoint, the BlackMatter group (a variant of DarkSide) handed over victim data to LockBit following law enforcement targeting in 2021. In 2022, Evil Corp started using LockBit to “bypass restrictions placed on the group by the US Treasury Department’s Office of Foreign Assets Control (OFAC)”.
“This disruption will likely be temporary and minimal at best to the organisation behind LockBit,” says Jon Marler, Cyber Evangelist at VikingCloud. “LockBit’s malware is currently in its third major revision, and without any arrests of the core team that created it, we can only expect more.”
Something that a Trend Micro research report published today appears to confirm. “Recently, we came into possession of a sample that we believe represents a new evolution of LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions.”
The report goes on: “Based on its current developmental state, we are tracking this variant as LockBit-NG-Dev, which we further believe could form the basis of a LockBit 4.0 that the group is almost certainly working on.”
As Mark Stockley, a Senior Threat Researcher at Malwarebytes, says: “The main unanswered question is how much of LockBit group is left intact, and what will they do next. It’s very hard to see the LockBit ‘brand’ surviving this, so I expect it will either rebrand or disperse into other groups in the way that Conti did.”
More cybersecurity coverage
Davey Winder
NEXT UP
Jeff Smith SVP of Strategic Partnerships at Skipify: “Traditional finance and banking can learn to embrace disruptors as partners and enablers instead of competitors and threats”
Jeff Smith is the SVP of Strategic Partnerships at Skipify, a San Francisco-based fintech company on a mission to redefine the checkout experience
Optus appoints Stephen Rue as new CEO
Optus appoints Stephen Rue as the new permanent CEO as well as a new governance structure for him to operate under.
Why Lenovo’s customers want sustainable technology: youth, power bills and legislation
In an exclusive interview with Lenovo’s Global Head of Environmental Services, Stefan Brechling Larsen, we ask why its customers are finally asking for sustainable technology