)
On February 19, 2024, the UK’s National Crime Agency (NCA) seized LockBit’s dedicated leak site (DLS), in addition to other key components of its infrastructure. As one of the most prolific and profitable ransomware operations ever, LockBit has been active since September 2019, attacking major corporations and governmental organizations throughout the world. The NCA carried out the seizure of LockBit’s infrastructure as the centerpiece of Operation Cronos, a multinational sting carried out with help of the U.S. Federal Bureau of Investigation (FBI) and law enforcement agencies from nine other countries.
LockBit – A renowned leader in the cybercriminal underground
According to the U.S. Department of State (DOS), LockBit actors have launched more than 2,000 ransomware attacks, disrupting operations, destroying information, and exfiltrating sensitive data. The DOS estimated that LockBit and its affiliates collected over $144 million in ransom payments from victims attempting to recover encrypted data stolen during LockBit attacks. The UK’s National Crime Agency (NCA) recently identified over 500 active LockBit-related cryptocurrency addresses that received over $125 million in Bitcoin (BTC) between July 2022 and February 2024, with 2,200 BTC (~$110 million) unspent.
LockBit helped pioneer the ransomware-as-a-service (RaaS) business model, which has been replicated by its competitors, including ALPHV/BlackCat, Rhysida, and Black Basta. The gang was widely viewed as the industry leader, rolling out multiple strains of its ransomware. The operation not only invested in its own research-and-development, it launched the first bug bounty program in the ransomware world.
The story beyond the headlines
According to the NCA, Operation Cronos compromised LockBit’s “entire criminal enterprise,” seizing not only the gang’s DLS, but also infrastructure based in three countries, including 28 servers belonging to LockBit affiliates. In total, at least 34 servers were disrupted in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.
Since seizing the DLS, Operation Cronos has used the platform to expose information about the cybercrime operation, maintaining its original design and formatting in an attempt to humiliate LockBit’s operators. Among the details provided by NCA were descriptions of LockBit’s primary administration environment, which RaaS affiliates used to carry out attacks.
Figure 1: The seizure banner placed on LockBit’s DLS after it was seized during Operation Cronos
The NCA specified that it obtained the LockBit platform’s source code, in addition to droves of LockBit intelligence related to the operation’s affiliates and activities. This includes thousands of keys from “unprotected decryptors.” LockBit claims that law enforcement only had access to 2.5% of the total number of decryptors (~40,000), generated over the course of the operation’s existence.
The NCA emphasized that it discovered data from victims who had paid ransoms, confirming the agency’s previous warnings that cybercriminals cannot be trusted to honor commitments to destroy/delete data when victims meet data extortionists’ demands.
Operation Cronos also netted law enforcement more than 1,000 decryption keys, which can ostensibly be used by victims to restore data. Over 200 LockBit-related cryptocurrency accounts were also frozen.
LockBit’s spokesperson, a threat actor who has used the handle LockBitSupp is yet to be arrested and appears to be continuing his direction of the RaaS’ operations. Cybersixgill observed threat actors on the underground claiming that other LockBit dark web sites appeared operational as of February 20, 2024, including data hosting sites and private messaging infrastructure, despite the group’s ransom negotiation sites remaining out of commission.
How Operation Cronos dealt a damaging blow
According to LockBit, Operation Cronos infiltrated the ransomware’s infrastructure by exploiting a flaw in PHP scripting language, which the RaaS operation used to develop its sites.
The flaw in question is tracked as CVE-2023-3824 and was identified by LockBit itself in messages on Tox as the cause of the breach. LockBit’s message identifying the PHP flaw subsequently circulated on dark web forums and Telegram channels, and a potential PHP flaw was also identified by LockBit in its lengthy missive posted after the sting.
While LockBit appears to acknowledge the PHP flaw as the weak point in its operational security (OPSEC) posture, the gang also claimed that its backup servers had not been reached, since they are apparently not vulnerable to CVE-2023-3824. These claims are likely a face-saving strategy to preserve its reputation on the underground, and among potential and current affiliates, the group’s ongoing activities (discussed below), lend credence to the gang’s narrative.
LockBit is down but not out
Mere days after the NCA unveiled Operation Cronos and announced the seizure of key LockBit infrastructure, including the hijacked law-enforcement controlled version of the DLS, the RaaS operation launched a new leak site, almost immediately adding new victims.
In addition to adding victims to the revamped DLS, LockBit’s new leak site includes a +3,000 word diatribe providing the gang’s version of why and how law enforcement was able to infiltrate its defenses, which was also disseminated on cybercrime forums.
Among the information provided in that message was the contention that LockBit was aware of “penetration testing” prior to Operation Cronos being revealed by NCA. The red flags were ignored however, because the group’s leader claimed he was “lazy” and “swimming in money.”
The message specifically identified the causes of the sting as (1) “personal negligence and irresponsibility,” and (2) failure to “update PHP in time,” identifying CVE-2023-3824 as the flaw through which access was gained to two main servers.
LockBit also declared that its competitors are likely to be vulnerable to infiltration by law enforcement due to CVE-2023-3824 or other similar zero-day vulnerabilities.
According to LockBit, the authorities may have had access to its infrastructure for an extended period, but only pulled the trigger on Operation Cronos because the gang attacked Fulton County, Georgia (https://fultoncountyga.gov/) where the District Attorney is currently pursuing former U.S. president Donald Trump for alleged interference in the 2020 elections. LockBit claimed, without proof, it had access to data that the FBI did not want leaked, so it shut down the gang’s DLS.
LockBit claimed the FBI obtained a database and web panel sources, but no ransomware source code. LockBit also denied that authorities (1) discovered the identities of affiliates, or (2) arrested the “real” Bassterlord. LockBit downplayed the value of the individuals arrested, claiming they were “just people who launder[ed] cryptocurrencies,” and not key figures in the operation.
The message in general seemed to relish the attention from the FBI, claiming that Operation Cronos targeted LockBit because it has been so successful. The message also claimed that the FBI’s actions were designed to destroy the gang’s reputation and affiliate program, and to force LockBitSupp into retirement.
It goes without saying that all of the claims in this missive should be taken with a grain of salt, as threat actors on the underground have been observed bending the truth to improve their own image. In the world of RaaS operations, reputation and airtight OPSEC are the calling cards of major players. The type of OPSEC failures that led to Operation Cronos’ gains likely affected LockBit’s standing, and the surviving threat actor(s) may be attempting to salvage the operation’s reputation.
As of February 28, 2024, LockBit’s new DLS had 15 victims of ransomware attacks, which seemed to prove that Operation Cronos did not reach key LockBit figures, including LockBitSupp.
Prior to the DLS seizure, LockBit developers were allegedly building a new version of their file encrypting malware (aka LockBit-NG-Dev/LockBit 4.0), which may have been used in the post-Operation Cronos attacks.
In addition to the LockBit-related activity observed since Operation Cronos, a copycat leak site was also launched by what appeared to be a potentially distinct group, replicating word-for-word LockBit’s design, look-and-feel, and affiliate rules.
Attacks were also observed leveraging an authentication bypass vulnerability (CVE-2024-1709) in ScreenConnect (ConnectWise Control) servers to deploy ransomware payloads identified as a LockBit variant associated with the Buhti (aka Blacktail) operation.
Taken as a whole, it appears that at least one key LockBit actor remains at large, operating new infrastructure and potentially continuing to collaborate with affiliates. In addition, there appear to be other threat actors, such as the copycat group, attempting to capitalize on LockBit’s misfortunes.
Can LockBit recover?
Operation Cronos will likely impact the group’s standing among a key demographic of its collaborators: those capable of breaching “big game” victims who can pay hefty ransoms. These individuals may include sophisticated penetration testers, including former members of now-disbanded gangs such as REvil and Conti, who may be less willing to work with LockBit now.
Operation Cronos may also affect LockBit’s ability to form alliances with threat actors associated with ALPHV/BlackCat, affiliates of which LockBit was seen attempting to recruit when the former experienced its own recent run-ins with law enforcement.
The response from the underground
Predictably, Cybersixgill observed a large volume of underground chatter related to the LockBit sting, including lengthy discussions about OPSEC and the future of ransomware in general.
While some of the discourse has been critical of LockBitSupp, his ability to relaunch the DLS and continue his attacks despite disruptions appears to have earned respect from some members of English and Russian language cybercrime forums.
Operation Cronos has also caused certain threat actors to seek alternatives to the LockBit panel, polling forum members about comparable operations.
If Operation Cronos succeeds in slowing down the pace of LockBit attacks, it could cause an overall decrease in ransomware attacks in 2024. In light of LockBit’s continuing operations and the regular emergence of new ransomware strains, in addition to continued operations by LockBit’s RaaS competitors and lone wolves, ransomware attacks will most likely remain a significant threat for the foreseeable future.
)
)
)
)