The culmination of a months-long international police operation, dubbed ‘Operation Cronos’, has dealt a significant blow to the LockBit ransomware group resulting in the arrest of some of its members, the seizure of its platform and data, and the public release of a decryptor tool. The operation also revealed significant insight into the group's tactics, techniques and procedures (TTPs).
Operation Cronos was led by the UK’s National Crime Agency (NCA) with support from Europol, Eurojust, and global law enforcement agencies. The task force was able to take control of 34 servers that made up LockBit’s primary platform, as well as 14,000 accounts used by the group to host tools and store data stolen from victims. The operation also seized 200 crypto-wallets and 1,000 decryption keys which were used to develop a decryptor tool that is now available to the public.
During the operation, investigators discovered that stolen victim data was still retained, despite the victim paying the ransom.
In addition to seizing the group’s technical infrastructure, two of its members were arrested in Ukraine and Poland, while two other Russia-based members were indicted by the US Justice Department.
The operation saw LockBit’s TOR website taken down and replaced with a banner explaining the site had been seized and displaying the flags and logos of the various countries and agencies who participated in the operation.
Image 1: Screenshot of seized LockBit dark website
LockBit’s affiliate panel was also changed to deliver a bold message to affiliates that their information, LockBit source code, chats, and victim information were seized, and that they may be hearing from authorities soon. The task force even seemed to troll LockBit by replacing its victim webpage with one using the same format and style but highlighting the operation's successes.
Image 2: Screenshot from seized LockBit victim list site
Source: Bleeping Computer
Analysis
This joint operation is a major win for the participating agencies that will have a large impact on LockBit’s ability to conduct ransomware activities for the foreseeable future.
However, ransomware groups have demonstrated the ability to regroup and retool after experiencing such takedowns before, so it’s likely that the LockBit ransomware group will eventually return in some form or another.
This case revealed some interesting details about LockBit’s inner workings. For example, both Ukrainian and Russian nationals were revealed as members of LockBit, proving that at least some cybercriminals are not willing to let conflicts between their home nations come between them or their potential to earn thousands of dollars from exploiting victims of cybercrime.
Additionally, the presence of data belonging to victims who did pay a ransom serves to further prove that cybercriminals cannot be trusted and that victims should avoid paying ransom. This data is likely retained to enable a secondary extortion attempt or to sell to other cybercriminals.
So far, 2024 has been a great year for law enforcement and intelligence agencies mandated with investigating and defeating malicious cyber activities. Operation Cronos comes shortly after US authorities launched two separate operations to dismantle botnets used by Russian and Chinese state-sponsored hackers, dealing both countries a significant blow to their offensive cyber capabilities.
Mitigation
While defending against ransomware attacks may seem intimidating at first, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they would not be encrypted during an attack, and thus can be used to restore devices to a working, secure state.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and can prevent attackers from accessing systems via the internet.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites.
Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or connecting to remote networks.
Develop a culture of cybersecurity
Organizations should train employees to:
- Watch for and understand the tricks attackers use
- Spot and avoid potential phishing links
- Flag requests for personal information or credentials
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute-force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Tools like Covalence that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
Related articles