In response to recent seizure of notorious ransomware gang LockBit’s network, Adarma’s Security Consulting and Threat Team have compiled an executive summary of events and practical recommendations to help organisation enhance their ransomware readiness. Included are observations on the potential impact of this recent event on the ransomware landscape. If you’re interested in accessing our threat hunting resources, please reach out to the Adarma Threat Team at hello@adarma.com.
On February 20th, the UK’s National Crime Agency (NCA) disclosed the specifics of their latest operation targeting the notorious ransomware group, LockBit. According to the NCA’s website, it had been working closely with the FBI, and supported by international partners from nine other countries, covertly investigating LockBit as part of a dedicated taskforce called Operation Cronos.
The NCA detailed that they had successfully seized control of LockBit’s main administrative hub, enabling the disruption of the group’s activities, including their ability to launch attacks, as well as shutting down their public-facing leak site on the dark web. Until now, this site had been used by LockBit to host and threaten to release data stolen from their victims. Instead, this site will now serve as a platform for exposing LockBit’s capabilities and operations. Also impacted was the infrastructure Lockbit used to run their custom ‘’Stealbit’ data exfiltration tool, which was taken entirely offline. The NCA plans to release daily updates revealing insights into the group’s activities.
In addition, the NCA confirmed it had also obtained the LockBit platform’s source code and a vast amount of intelligence from their systems, including information about the group’s activities and those who have worked with them and used their services to launch attacks. Worryingly, the intelligence contained data belonging to victims who had paid a ransom, revealing that even when a ransom is paid there is no guarantee that the threat actors will delete the data as promised.
The US Department of Justice has reported that two individuals who employed LockBit to execute ransomware attacks have been formally charged, detained, and are set to undergo trial within the US. Furthermore, indictments against two additional individuals, identified as Russian nationals, have been unveiled, implicating them in the conspiracy to conduct LockBit attacks.
In light of these developments, the NCA, alongside its international counterparts, are now able to offer aid to LockBit victims. With the acquisition of over 1,000 decryption keys, the NCA plans to reach out to victims based in the UK in the forthcoming days and weeks, helping in data recovery.
Emerging in 2019, LockBit are considered one of the most prolific ransomware groups. Operating using a ransomware-as-a-service model, the group has built a global network of hackers known as ‘affiliates,’ whom the group provides with tools and infrastructure to carry out attacks. These attacks have affected thousands of victims worldwide, including in the UK, resulting in financial losses in the billions. These losses include ransom payments and expenses incurred during recovery efforts. The NCA estimates that LockBit are responsible for 25% of all ransomware attacks in 2023.
It’s too early to tell if Operation Cronos will have a lasting impact on ransomware attacks. Ransomware has continued to be one of the biggest threats to organisations, and with the average pay-out jumping from £643,640 in 2022 to £1,221,975 in 2023 .
With a clear financial motivation for the cyber criminals this could be seen as an opportunity to fill the void rather than deter other organisations and could potentially see a spike in ransomware attacks. We have seen similar sized ransomware groups like Conti or Darkside split off into new, smaller groups after major disruptions to their operations. Based on information released by the US authorities we can see that Lockbit had around 190 affiliate members. While some arrests have been made, the vast majority of these group members are still at large and free to pursue actions on behalf of other gangs.
There is also the possibility that LockBit will be out for revenge. They are a group that relies heavily on their reputation, and they have been publicly undermined. This latest setback for the gang follows recent conflicts around payments of their affiliates on e-crime forums, Lockbit will be anxious to regain trust and respect if they can recover from Operation Cronos.
One of the primary attack vectors for ransomware is through malicious emails enticing recipients to click on a link or download an attachment which will enable the threat actors to gain access into the environment.
Here are our recommendations on how to prepare and defend against ransomware attacks.
1. Educate your staff: Organisations spend a lot of time training their team on how to spot a suspicious email through ‘Phishing Exercises’, however they fail to also provide guidance on how to report an incident. If an employee accidentally clicks a link or downloads an attachment, they need to know who to contact and what information is needed.
2. Plan and train for an attack: Cyber-attacks are high stress and high intensity for all involved during an incident. Running a crisis simulation assessment can help prepare your organisation for real-world attacks, identify gaps in your security, highlight areas for skill development and empower your organisation to respond swiftly to incidents with confidence. See Adarma’s Cyber Crisis Simulation Assessment for more information on the benefits and outcomes of an assessment.
3. Leverage Threat Intelligence: Intelligence is critical to detecting threats to your organisation. The strongest defence relies on knowing the enemy. The traces attackers leave can catch a breach early on and will assist the incident response teams as part of their investigation in trying to identify who was behind the attack, their motivation and goals.
4. Keep Indicators of Compromise (IOC) updated:It’s vital that analyst’s information about these IOCs stays current to match the threat landscape. Failure to do this will significantly increase your business risk.
We are Adarma, leaders in detection and response services. We specialise in designing, building and managing cybersecurity operations that deliver a measurable reduction in business risk. We are on a mission to make cyber resilience a reality for organisations around the world.
Our team of passionate Cyber Defenders work hand in hand with our customers to mitigate risk and maximise the value of their cybersecurity investments. Powered by the Adarma Threat Management Platform and optimised to our customers’ individual needs, we deliver an integrated set of services that improve your security posture, including best-in-class Managed Detection and Response services.
We operate with transparency and visibility across today’s hybrid-SOC environments to protect our customers as they innovate, transform, and grow their businesses. Adarma delivers the cybersecurity outcomes you need to make a remarkable difference.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
