Security Intelligence
Loading table of contents...
On May 5, 2024, the Federal Bureau of Investigation (FBI), Europol, and the U.K.’s National Crime Agency revived the LockBit leak site seized during ‘Operation Cronos’ to hint that further information shedding light on the ransomware group’s operations and actors will be released on Tuesday, May 7.
This measure follows the February 2024 seizure of LockBit’s primary TOR-based leak site, 34 servers, crypto wallets, and decryption tools which LockBit blamed on its own personal negligence and irresponsibility. At the time, the Operation Cronos team used the seized leak site to reveal details on LockBit’s operations, its affiliates, and how the group lies to its victims by not always deleting stolen data even after a ransom is paid.
Operation Cronos also promised to reveal the identity of ‘LockBitSupp’, the individual believed to be in charge of LockBit’s operation. However, this information was never revealed, the Operation Cronos team simply indicated that LockBitSupp had “engaged with Law Enforcement.”
As seen below, the revived leak site hints that further information on backend facts and figures, Lockbit members, and the LockBitSupp persona will be revealed on Tuesday.
Source: Bleeping Computer
Analysis
The revival of the seized leak site is the latest phase of the cat-and-mouse game between international cyber authorities and LockBit since February 2024 when Operation Cronos was revealed publicly. Operation Cronos represented a major win for the participating agencies and a benchmark for international collaboration against ransomware groups.
However, LockBit’s quick recovery demonstrated just how hard it is to permanently neutralize ransomware groups who seemingly regroup and re-tool as quickly as law enforcement agencies can take them down.
It’s hard to say if the individual known as LockBitSupp did indeed decide to cooperate with law enforcement or if that was just a tactic to scare or turn LockBit members against themselves. With any luck, this information will be disclosed tomorrow.
Mitigation
While defending against ransomware attacks may seem intimidating, even a few simple, easy-to-implement best practices can help prevent attacks. Field Effect recommends that organizations adopt the following best practices:
Back up your data
Regular backups of sensitive and important information can help ensure business continuity during a ransomware attack. These backups should be stored somewhere different than the operational network so that they will not be encrypted during an attack, and thus can be used to restore devices.
Update and patch software
Regular patching, updating, and maintenance help protect against or eliminate known cybersecurity vulnerabilities in IT systems and is one of the most important steps you can take to improve your security.
Protect systems connected to the internet
Using a DNS firewall limits access to known malicious websites, helping to defend against potential social engineering attacks while blocking malicious code and securing access to cloud apps and corporate websites.
Leveraging a virtual private network (VPN) can also help, giving workers a secure means of accessing corporate data or otherwise connecting to networks from remote locations.
Develop a culture of cybersecurity
Organizations should train employees to watch for and understand the tricks attackers use, spot and avoid potential phishing links, and flag requests for personal information or credentials.
Strong password policies, password managers, and multifactor authentication (MFA) also make it more difficult for threat actors to guess, brute force, or use stolen credentials.
Use a cybersecurity solution
Staying ahead of ransomware demands a view into what’s happening across your IT environment. Tools like Field Effect MDR that detect and respond to suspicious activity across networks, end-user devices, and cloud services can help identify and mitigate potential threats early.
