LockBit gang's domains seized by law enforcement


LockBit, the most prominent ransomware cartel of the past several years, had its dark web domain seized, indicating the gang’s activities were disrupted by law enforcement.

The gang’s dark web blog, used to showcase its latest victims, greets users with a message supposedly from law enforcement, saying that “the site is now under the control of law enforcement.”

"We can confirm that LockBit's services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation," reads the notification on what used to be LockBit's leak site.

ADVERTISEMENT

We have reached out to Europol for confirmation but did not receive a reply before publishing.

According to Reuters, a spokesperson from the UK's National Crime Agency confirmed that the agency had disrupted the gang and said the operation was "ongoing and developing."

LockBit confirmed dispruption

Malware researchers vx-underground claim to have a confirmation from the LockBit administrative staff that the gang had its websites seized by law enforcement. Researchers also note that at least 22 different LockBit dark web websites are either offline or display the same law enforcement note, which strongly indicates law enforcement managed to penetrate the gang's online infrastructure deeply.

The gang's admins claim that law enforcement breached LockBit's servers by exploiting a known software vulnerability, a tactic cybercriminals themselves often use to infiltrate the systems of their targets. The flaw, tracked as CVE-2023-3824, impacts the PHP programming language and allows attackers to corrupt memory or cause a denial of service condition.

However, LockBit may be not telling the entire story to mask the the true impact law enforcement had on the gang's systems.

LockBit admins issued a message to gang affiliates saying that law enforcement did not take over all of the gang's domains. However, as the disruption went on, affiliates were instructed to communicate with victims via dark web messaging services instead of LockBit's infrastructure.

ADVERTISEMENT

After news about the attack broke, LockBit's affiliate panel, used to interact with victims and monitor the attack process, greeted criminals with a message from the NCA, saying all of the data was in the hands of law enforcement agents. The message even directed criminals to reach out to the NCA first. The message closely mimics the type of rhetoric ransomware cartels use on their victims.

According to vx-underground, the the gang attempted to calm down its affiliate cohort saying that servers with the stolen data are intact. Cybercriminals use stolen data as leverage to force victims into paying the ransom.

Too early to celebrate?

The seizure of LockBit's ransomware infrastructure marks the second in time in less then three months, when a major ransomware operator was disrupted by law enforcement. In December of 2023, FBI penetrated the ALPHV ransomware gang’s dark web infrastructure.

Both, LockBit and ALPHV sit on the top of the ransomware crime food chain, both are developed by syndicates with strong ties with cyber underworld in Russia.

However, it might be too early to cheer the demise of LockBit, Chester Wisniewski, Director, Global Field CTO at cybersecurity firm Sophos thinks.

"Much of their infrastructure is still online, which likely means it is outside the grasp of the police, and the criminals have not been reported to have been apprehended. Even if we don't always get a complete victory, like has happened with Qakbot, imposing disruption, fueling their fear of getting caught, and increasing the friction of operating their criminal syndicate is still a win," Wisniewski said.

One of the key effects such a disruption has on ransomware gangs is the impact on their reputation. Ransomware gangs rely on affiliates, cybercriminals that rent out malware to deploy it against targets. Once affiliates start fearing stolen funds or illegal activity could be traced by law enforcement, they opt to choose a different gang.

After law enforcement disrupted ALPHV's activity, the gang did not fully recover, Carlos Perez, senior security consultant at TrustedSec told Cybernews.

ADVERTISEMENT

"The group has significantly reduced its fees in an effort to regain some users and attract new ones. This move comes as a response to the FBI gaining control over its infrastructure, either partially or fully. The FBI's intervention has instilled fear among many of BlackCat's clientele, as they are uncertain about the extent of information the FBI possesses," he told Cybernews.

LockBit Europol
Note on Lockbit's leak site. Image by Cybernews.

Who is LockBit?

The LockBit group first appeared on the ransomware scene sometime late 2019, according to industry insiders. Since then, the gang has climbed on the top of the food chain, topping many lists in terms of victimized organizations.

Even though the gang tried to maintain a fake image of 'ethical' criminals, its affiliates did not restrain from attacking public institutions. In early February, attackers breached Saint Anthony Hospital, a non-profit children's hospital. In January, LockBit claimed an attack against Saint Anthony Hospital in Chicago.

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa. The gang’s notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said. The variant also happens to share similarities with two other Russian-linked ransomware, BlackMatter and ALPHV, the DOJ said.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

The gang's key persona is a Russia-based individual under the moniker LockBitSupp. According to Jon DiMaggio, Chief Security Strategist at Analyst1, the individual or individuals behind the admin account fiercely compete in the ransomware world, conducting smear campaigns against rivals.

DiMaggio believes LockBitSupp is closely related to other major ransomware operators in Russia, a hotspot for ransomware activity. Cybercriminals can safely operate under Moscow's rule as Russia's law enforcement turns a blind eye to the export of cybercrime as long as ransomware gangs don't target local organizations. Most of the key ransomware operators explicitly forbid affiliates to target organizations in Russia and members of the Moscow-led Commonwealth of Independent States (CIS).

Updated on January 20 [08:35 AM] with additional details about the law enforcement operation and LockBit.

ADVERTISEMENT