The UK National Crime Agency's Cyber Division, the FBI and international partners have cut off ransomware threat actors' access to the LockBit website, which has been used as a major ransomware-as-a-service showcase.
What is the LockBit ransomware group?
According to CISA, LockBit was the most common type of ransomware deployed globally in 2023. LockBit ransomware could be deployed via links to compromised websites, phishing, credential theft, or other methods. LockBit has targeted more than 2,000 victims since its first appearance in January 2020, totaling more than $120 million in ransomware payments.
The gang ran ransomware-as-a-service websites as a legitimate business, offering a data breach blog, a bug bounty program to find vulnerabilities in ransomware, and regular updates. Attackers known as “affiliates” would receive ransomware from LockBit sites.
SEE: IBM and ISC2 offer joint cybersecurity certification course for beginners. (Technological Republic)
LockBit ransomware has been deployed against organizations across various industries, particularly manufacturing, semiconductor manufacturing, and healthcare. Additionally, attackers using LockBit have directed ransomware at municipal targets, including the UK's Royal Mail.
LockBit website shut down
On February 20, the US Department of Justice announced that an international law enforcement action shut down numerous websites that the LockBit gang used to launch ransomware attacks. Law enforcement groups from the US, UK, France, Germany, Switzerland, Japan, Australia, Sweden, Canada, Netherlands, Finland and the European Union contributed to the seizure of the LockBit sites.
Five alleged individual LockBit members have been charged for “their involvement in the LockBit conspiracy,” according to the press release.
“Through years of groundbreaking investigative work, the FBI and our partners have significantly degraded the capabilities of hackers responsible for launching devastating ransomware attacks against critical infrastructure and other public and private organizations around the world,” the director wrote. of the FBI, Christopher A. Wray, in the report. Press release.
Is there a decryptor for LockBit?
The UK National Crime Agency and international partners have created decryption capabilities that can unlock data held for ransom by LockBit. Organizations targeted by LockBit can submit a form to the FBI to see if the decryption technology could work for them.
“We are turning the tables on LockBit: providing decryption keys, unlocking victim data, and pursuing LockBit's criminal affiliates around the world,” Deputy Attorney General Lisa Monaco said in the Department of Justice press release.
Threat Actor Responses to LockBit Takedown
In the wake of LockBit's downfall, a team from cyber threat intelligence firm Searchlight Cyber monitored Dark Web communication and found that some threat actors were unsure whether the LockBit site would be down forever.
“Even notorious actors (on the Dark Web point LockBit infrastructure has been compromised,” said Vlad Mironescu, threat intelligence analyst at Searchlight Cyber, in an email provided to TechRepublic.
“We have also observed that some threat actors are actively blaming LockBit for poor operational security, amid speculation that law enforcement agencies have exploited vulnerabilities found in LockBit's infrastructure to take down the group,” Mironescu said.
How to mitigate ransomware attacks
Follow cybersecurity best practices to reduce the risk of ransomware in your organization, including:
- Do not click on suspicious links or suspicious emails.
- Keep software and hardware updated.
- Backup your data, including storing critical data offline.
- Apply the security principle of least privilege, giving users access only to the company data they need.
- Use powerful spam filters and firewalls.
TechRepublic has reached out to the National Cybersecurity Alliance to learn more about how organizations can protect themselves against Lockbit and other ransomware.