What is LockBit and why were they an issue?

LockBit has been known as the world’s most harmful cybercrime group. Despite only being in operation since 2019, LockBit were responsible for 1/5 of all ransomware breach site posts in 2023 and 25% so far in 2024. Prior to Operation Chronos, the impact of LockBit’s criminality was unknown, but data obtained from the operation revealed that between June 2022 and February 2024, over 7,000 attacks have been carried out using LockBit’s services.

What is a ransomware attack? 

This is when a cybercriminal hacks into your device and uses a malicious software to encrypt and steal your information. Normally you would be prevented from accessing your data and receive a threat of an upcoming data leak unless you pay a ransom to the attackers.

The unmasking of LockBit

On the 7th of May 2024, Russian national Dmitry Khoroshev has been announced as the administrator and developer of LockBit. Prior to this announcement, Khoroshev gloated about his anonymity by offering a $10 Million reward to anyone who could reveal his identity. Following Operation Chronos, the tables have turned and a $10 Million reward is being offered by the US to anyone who can provide information which will lead to his arrest and/ or conviction.

How did LockBit work?

LockBit sold its criminal ransom services to hackers by supplying them with the tools and infrastructure required to carry out the attacks. These attacks were done all around the world, including the UK where networks were infected by the malicious software, data was stolen, and systems became encrypted. If a company wanted their files to be decrypted and data not published, they would need to pay a ransom. As such, LockBit caused the loss of billions of pounds, euros, and dollars either from ransom payments or recovery costs.

High profile victims of LockBit include the UK Royal Mail and Industrial & Commercial Bank of China (ICBC).

Tim West, the Director of Threat Intelligence and Outreach at WithSecure described LockBit as being “by far considered the most prolific, resourced, professional and capable” ransomware brand.

What was Operation Chronos?

Operation Chronos was ran by an international task force of law-enforced agencies across 10 countries. This included, the UK’s National Crime Agency (NCA) and the FBI and used resources from the private sector including partners such as, Secure works and Trend Micro.

Working collectively as one of the largest law enforcement operations against cybercrime, they successful hacked the hacker, LockBit.

The operation was led by the NCA and was able to compromise LockBit’s infrastructure by taking advantage of a software vulnerability. As a result, vast seizures took place including the public-facing leak site on the dark web. Following the takeover of LockBit’s main site which normally threatens to publish stolen data, the NCA carried out daily posts exposing LockBit’s capability and operations. Moreover, information was obtained to help the victims of previous cyber-attacks.

Key outcomes of the operation:

• Seizure of:
• LockBit’s data leak sites.
• 34 servers operated by LockBit.
• Stealbit – LockBit’s data exfiltration tool which was used to steal data.
• The closure of 14,000 “rogue accounts” involved in the group’s infrastructure or with data exfiltration
• The freezing of 200 cryptocurrency accounts.
• Two arrests made and further arrest warrants being issued.
• 1,000 decryption keys obtained to help recover victim’s data.

Is this the end of LockBit and Ransomware?

LockBit are currently locked out of their sites. Unfortunately, there are signs of a potential come back, following claims that some of their servers were unaffected due to having untouched backup servers. Similarly, a new leak site has already been published under a new URL claiming 5 new victims targeted prior to NCA overtaking their systems.

Despite the initial talks of a return, data has provided the reassurance that the average monthly LockBit attacks in the UK since the February hijack of LockBit’s site, has reduced by 75%. Moreover, there is hope that the operation will have a long-lasting impact just by demolishing LockBit’s credibility. An organisation which relied on affiliates trusting its security and secrecy, now has been shown to be susceptible to being a victim of attack themselves. Likewise, any rebuild will take time and resources. With the news of LockBit’s leader, Khoroshev being unmasked and subject to asset freezing and travel bans, there is uncertainty as to who would lead a rebranding of LockBit.

The NCA also have gained access to information regarding those who worked with LockBit and used their services to harm victims. As such, further arrests are anticipated. There is evidence that affiliates are distancing themselves from LockBit in fear that authorities are watching them, as there is now only 69 active affiliates since February.

Additionally, the NCA and FBI have access to over 1,000 LockBit’s decryption keys and have developed new decryption tools to help recover files encrypted by the LockBit ransomware. Therefore, if LockBit makes a return, there are tools already in place to try to undermine them again.

With regards to other cyberattack organisations, Searchlight Cyber, a dark web monitoring analysis found posts by other cybercrime groups expressing their surprise at the destruction of such a large crime organisation. It is thought that the takedown one of the largest players in the cybercrime game may act as a warning sign for other crime organisations to stop their operations. The operation demonstrated that if the cyber security agencies can attack and unmask even the largest cybercrime organisation, then a cybercrime organisation of any level is at high risk of being caught.

What it does this mean for you?

Businesses which hold a large volume of personal information regarding their clients have a high risk of a ransomware attack. As a business it is vital to ensure that policies and procedures are in place to protect yourself from being vulnerable to such an attack.

If you have been a victim of a ransomware attack and personal data breach, it is vital that you contact the correct supervisory authority as a matter of urgency. This will enable immediate action to be taken by the relevant authorities and attempts made to contain the incident and protect other personal data being lost or taken. This operation highlighted that even if you pay a ransom, the data may still be deleted or unrecoverable as the decryptions provided failed to work. Therefore, it has been confirmed that ransom payments are not always the end of the attack.

With regards to victims of a previous LockBit ransom, you may be contacted by the NCA in the upcoming weeks with an offer to help recover your encrypted data.