On February 20, 2024, the United States, the UK, and other nation-state law enforcement groups made public in a press release that they had seized infrastructure and website locations on the Internet from the ransomware group LockBit. The seizure of assets from one of the most active ransomware groups in the world will hopefully restrict the group’s ability to disseminate their ransomware for a while, but does it mean they are “out for the count?”
What happened?
For quite a few years, the LockBit ransomware group has operated using a “Ransomware-as-a-Service” (RaaS) paradigm that has only recently become more prevalent. However, on February 20th, the US and UK governments posted that they had grabbed infrastructure and Internet-facing websites and servers to take the group offline.
Indictments against two Russian nationals (Artur Sungatov and Ivan Kondratyev) were also unsealed, charging that the men had been using the LockBit ransomware against businesses worldwide. The two men have not been listed as core members of LockBit, but without confirmation, we can not assume that they aren’t either.
While they have certainly disrupted the group’s operations, this is unlikely to mark their end. These groups often have a dispersed leadership structure, allowing them to regroup and continue their activities when threatened. Furthermore, the fact that their ransomware variants are widely disseminated across the Internet means that other attackers can continue operating normally, even without the group’s participation.
Who is LockBit?
The group known as LockBit has been around since at least 2019, which is when they were attributed with using and providing the ransomware “ABCD.” ABCD was later rewritten to become the first version of their well-known LockBit offering. The new version was then seen on various cybercrime and ransomware sales sites.
The ransomware was updated to infect other operating systems and virtual machines as time passed. At this time, Windows, Linux, and Mac operating systems are all vulnerable to the ransomware, giving those that use it a broad spectrum of possible victims.
The group behind the malware has been connected to numerous attacks worldwide, including in the United States, United Kingdom, Australia, and Germany.
One difference noted between the founding group’s payment requirements and that of other groups is that they pay the software user and then expect payment of their part of the illegally obtained funds. Other groups usually pay themselves first, then give the remainder to the attackers. This means that the software tends to be used more often by more varied attackers than other types of ransomware.
What does LockBit ransomware do?
Ransomware is a type of malware that, depending on the code, can accomplish many different types of attacks with the goal of encrypting data so that the attackers can then demand payment to unlock the information.
LockBit, in all its forms, can find and use vulnerabilities within a network or computing device to gain entry. Once this is done, the software looks at various file and data locations as potential areas to encrypt files or exfiltrate them to a location where they can be sold to criminals.
The software is “leased” or sold to interested parties online for their use in attacks, with various methods of profit-sharing between the buyers and sellers.
Once the agreement is struck between the parties, the LockBit creators don’t just leave the attackers to their own devices. They support finding targets, locating usable vulnerabilities, and more services to make their attacks more successful. This is where the ransomware-as-a-service name comes into play.
For more detailed information about the malware, Download the CISA advisory report
How might this affect you?
LockBit ransomware is just like all forms of malware in that it depends on users and organizations not fully understanding or mitigating the vulnerabilities within the networks and systems. These vulnerabilities are the entry points for attackers to use in their efforts, giving them access to your data.
If you or your organization have good cybersecurity practices and continue to improve them, you become a “hard” target for attackers. Attackers almost always work to make a profit in some form, so by becoming a target that isn’t easy to breach; you are making the chances of them gaining profit much lower.
If, on the other hand, you aren’t monitoring your computing environment and closing those vulnerabilities that come to your attention, then you are an easy target. Easy targets make for easy money, right?
How can you protect yourself and your organization?
Once again, attackers depend on your systems having vulnerabilities that they can exploit, so there are several things you can do.
Start with ensuring that your system users and maintainers are trained to use and protect them. Cybersecurity training for users is a huge step toward protecting your assets. It covers what they are allowed to do, how they should be doing it safely, and what to watch for if someone is trying to attack the organization through them.
Also, ensure that those responsible for securing the systems and networks within your domain are capable and knowledgeable. Don’t hesitate to pay for them to obtain updated training that will improve their skills.
Protecting your assets also depends on your organization providing the financial support needed, along with the policies to implement cybersecurity across the entire organization properly. This requires the complete understanding and backing of your top-most management team as to the value of their investment.
Northstarr recommendations
Here are a few solid suggestions for protecting your organization from cyber attacks:
- Cybersecurity education from the top-most level of your organization to the bottom. This includes every person who works for you or has access to your sites and systems. Vendors that provide software, hardware, services, and other fungible products should also be educated in your cybersecurity policies and practices.
- Practice good cyber hygiene. This means that your personnel and affiliates always work to help maintain and improve the cybersecurity state of your operations.
- Communication is also vital to your protective efforts. Your employees should feel no stress in communicating potential problems or observed actions that might mean an attack has started or is in progress. They should also know who to contact and how to contact them.
- And finally, keep monitoring your environment for threats or problems, and then work diligently to fix them. Once fixed, make sure that you and your teams review what happened for any chance to improve your protection or how you respond to problems.
Cybersecurity is a 24/7/365 mission and must always be one of the top-of-mind elements of your business operations. Don’t let someone like the LockBit crew or one of their attackers become the bane of your business.
