The Cyber Division of the UK National Crime Agency, the FBI and international partners have cut off ransomware threat actors' access to LockBit website on February 20which has been used as a large showcase for ransomware as a service.
On February 26, LockBit resumed operations at a different Dark Web address, according to Reuters. The ransomware gang claimed that its administrators knew how the deletion had occurred (a vulnerability in the PHP programming language) and would execute the operation from backup servers that do not have PHP installed. Meanwhile, Reuters reported that Britain's National Crime Agency said the ransomware gang is “fully committed.” The two groups remain in conflict, with special emphasis on the attempt to identify LockBitSupp, the person or persons who lead the gang.
What is the LockBit ransomware group?
According CISA, LockBit was the most common type of ransomware deployed globally in 2023. LockBit ransomware could be deployed via links to compromised websites, phishing, credential theft, or other methods. LockBit has targeted more than 2,000 victims since its first appearance in January 2020, totaling more than $120 million in ransomware payments.
The gang ran ransomware-as-a-service websites as a legitimate business, offering a data breach blog, a bug bounty program to find vulnerabilities in ransomware, and regular updates. Attackers known as “affiliates” would receive ransomware from LockBit sites.
SEE: IBM and ISC2 offer joint cybersecurity certification course for beginners. (Technological Republic)
LockBit ransomware has been deployed against organizations across various industries, particularly manufacturing, semiconductor manufacturing, and healthcare. Additionally, attackers using LockBit have directed ransomware at municipal targets, including the UK's Royal Mail.
LockBit website shut down
On February 20, the US Department of Justice announced that an international law enforcement action shut down numerous websites that the LockBit gang used to launch ransomware attacks. Law enforcement groups from the US, UK, France, Germany, Switzerland, Japan, Australia, Sweden, Canada, Netherlands, Finland and the European Union contributed to the seizure of the LockBit sites.
Five alleged individual LockBit members have been charged for “their involvement in the LockBit conspiracy,” according to the press release.
“Through years of groundbreaking investigative work, the FBI and our partners have significantly degraded the capabilities of hackers responsible for launching devastating ransomware attacks against critical infrastructure and other public and private organizations around the world,” the director wrote. of the FBI, Christopher A. Wray, in the report. Press release.
“For enterprise IT decision makers, the incident serves as a vivid reminder of the need for robust cybersecurity measures, the value of collaboration with law enforcement and cybersecurity communities, and the need for an agile response strategy. and informed,” said Lisa Plaggemier, executive director of the National Cybersecurity Alliance, in an email to TechRepublic.
Is there a decryptor for LockBit?
The UK National Crime Agency and international partners have created decryption capabilities that can unlock data held for ransom by LockBit. Organizations targeted by LockBit can submit a form to the FBI to see if decryption technology could work for them.
“We are turning the tables on LockBit: providing decryption keys, unlocking victim data, and pursuing LockBit's criminal affiliates around the world,” said Deputy Attorney General Lisa Monaco at the Department of Justice. Press release.
Threat Actor Responses to LockBit Takedown
In the wake of LockBit's downfall, a team from cyber threat intelligence firm Searchlight Cyber monitored Dark Web communication and found that some threat actors were unsure whether the LockBit site would be down forever.
“Even notorious actors (on the Dark Web point LockBit infrastructure has been compromised,” said Vlad Mironescu, threat intelligence analyst at Searchlight Cyber, in an email provided to TechRepublic.
“We have also observed that some threat actors are actively blaming LockBit for poor operational security, amid speculation that law enforcement agencies have exploited vulnerabilities found in LockBit's infrastructure to take down the group,” Mironescu said.
How to mitigate ransomware attacks
Follow cybersecurity best practices to reduce the risk of ransomware in your organization, including:
- Do not click on suspicious links or suspicious emails.
- Keep software and hardware updated.
- Backup your data, including storing critical data offline.
- Apply the security principle of least privilege, giving users access only to the company data they need.
- Use powerful spam filters and firewalls.
Plaggemier noted that a good multi-layered security strategy also includes employee education, strong endpoint protection, strict access controls and privilege management, threat intelligence services, application whitelists, regular security audits, security testing. penetration and participation in collaborative information exchange initiatives.
“This holistic approach ensures preparedness and resilience against ransomware attacks, protecting critical assets and data,” Plaggemier said.
