In February 2024, Operation Cronos, a coalition of international law enforcement agencies led by the UK National Crime Agency and the US FBI, took control of the attack infrastructure of the infamous Lockbit ransomware gang, considered the “most damaging cyber group” in the world. A sigh of relief resonated throughout the information security community, with many believing this marked the end of an ongoing nightmare. However, reality turned out to be different: less than a week later, the ransomware-as-a-service operator was back online with a new leak site, listing five victims and countdown timers for posts of the stolen information.
This resurgence is not atypical. These threat groups are increasingly deploying advanced attack infrastructure and comprehensive backups that allow them to return to operations. I will present three recent examples that demonstrate the resilience of these groups in the face of police interventions.
Cyber Intelligence Director, Netskope.
Lockbit resistance
Ironically, to take over the LockBit website, law enforcement exploited CVE-2023-3824, a vulnerability affecting PHP, which reflects one of the main attack vectors used by the LockBit group, specifically vulnerability exploitation. According to the author of the threat, “personal negligence and irresponsibility” caused a delay in the application of the patch and made the acquisition possible. And yet, LockBit's immediate return was facilitated by the availability of backups, an essential best practice for any organization. Following the removal, LockBit confirmed the breach, but also stated that they only lost servers running PHP, while their non-PHP backup systems remained intact.
Before the brief crash, LockBit was one of the main threats to the financial sector. As expected, attacks carried out via LockBit ransomware and its variants continued throughout 2024, even after the acquisition. This persistence was due in part to another fairly common complication in the threat landscape: the malware generator's source code had already been leaked online by an angry developer, spawning multiple variants that continue to plague businesses around the world, driven due to the continuous exploitation of vulnerabilities.
The existence of backups indicates that the attackers built a resilient infrastructure with a contingency plan, anticipating the possibility of being taken over. At its core, cybercrime is a business, so threat actors adopt best practices that every company should follow, building robust infrastructures to ensure protection against outages or disruptive events, such as a police recall. This serves as an important wake-up call, reminding us that even if law enforcement agencies dismantle a criminal infrastructure, the operation may not end forever.
A BlackCat output
A second demonstration of the resilience of malicious infrastructure is an analogous event involving a different ransomware operation. In December 2023, law enforcement led by the US FBI (and involving agencies from the United Kingdom, Denmark, Germany, Spain, and Australia) seized the BlackCat/ALPHV infrastructure. However, two months later, the ransomware group unexpectedly resurfaced and claimed responsibility for several high-profile attacks in the financial and healthcare sectors.
An interesting twist in this comeback involved the attack on Change Healthcare, which ended with the victim organization paying a ransom of $22 million in Bitcoins. Two days after the payment was made, allegations surfaced that the ransomware operation had swindled other affiliates out of their share of the reward, and four days after the payment (two days after the allegations), the FBI and other agencies Law enforcement officials appeared to have taken over the scene of the escape again.
However, law enforcement denied any involvement in this second shutdown and this aspect, along with the fact that the page that appeared on the leak site after the second apparent shutdown looked like a copy of the original takeover. December 2023, the experts led. speculate that the threat actors may have executed an exit strategy: happy to leave the scene with $22 million in their pockets, cutting ties with their affiliates and potentially selling the ransomware source code as a service for $5 million, a common figure. practice recently adopted by the Knight 3.0 ransomware. This evidence suggests that the emergence of variants will extend the lifecycle of this malware well beyond the shutdown of the original operation.
The way this story appears to have ended suggests that not only are organized criminal operations resilient and often able to survive takedown efforts by law enforcement agencies, but also that threat actors can decide leave the scene voluntarily. They might do so because they believe they have achieved their lucrative goals or because they believe market conditions are no longer favorable. In the case of BlackCat/ALPHV, it is believed that the fluctuation in the price of Bitcoin, or even a possible shift in focus towards other targets, such as Ukraine (given that the threat actors are of Russian origin) may have influenced its decision. to close the operation.
Evading law enforcement
Recurrences of malicious operations after shutdown attempts by law enforcement are not limited to ransomware operations. A third notable example is the brief takedown of the infamous Qakbot botnet through Operation Duck Hunt, carried out by the FBI and its partners in 2023. Qakbot is one of the most flexible weapons for threat actors due to its modular nature, allowing it to distribute multiple malicious payloads, including several strains of ransomware, causing hundreds of millions of dollars in damage. As expected, this apparent victory was short-lived. Just two months after the law enforcement operation, threat actors quickly overhauled their malicious infrastructure to distribute additional payloads.
More Qakbot campaigns were detected, featuring new variants with malware improvements. These campaigns included the distribution of Cyclops and Remcos remote access tools in October 2023 via malicious PDF documents to the hospitality industry under the guise of fake IRS communications, as well as a fake Windows installer in January 2024. According to Netskope Threat Labs, Qakbot was one of the top threats targeting the retail sector between March 2023 and February 2024, showing the resilience and flexibility of an attack infrastructure.
Stay alert
Cybercrime is now big business, and attackers have vast resources to create increasingly widespread and resilient threats. To combat these sophisticated attacks, organizations must adopt a comprehensive security strategy that is continuous, pervasive, and resilient. This involves implementing multi-layered defenses, continuous monitoring, real-time threat detection, and regular security assessments.
Additionally, it would be prudent to follow the lead and learnings of these resilient threat actors by fostering a culture of cybersecurity awareness, maintaining up-to-date systems, and having robust incident response and disaster recovery plans. Eliminating all cybersecurity blind spots is crucial, as even minor vulnerabilities can lead to major breaches. Organizations must be prepared to defend against all types of threats and attack groups.
We have the best antivirus in the cloud.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
