LockBit Ransomware Website Taken Down by US, UK and Allied Law Enforcement Agencies

LockBit Ransomware Website Taken Down by US, UK, and Allied Law Enforcement Agencies

LockBit’s website was taken down in February 2024 during ‘Operation Cronos’, an international effort by the FBI, the NCA and others in the UK, the RCMP in Canada, law-enforcement agencies in the US and elsewhere.

In a major success for law enforcers around the world, including the US Federal Bureau of Investigation (FBI), the UK’s National Crime Agency (NCA), Europol and other law enforcement agencies worldwide, the LockBit gang’s dark-web data-leak site was taken down, making it to go offline.

In what might be a blow to the world’s most prolific ransomware group, the site of LockBit – a Russia-based operation responsible for the April cyberattack that took down the Colonial Pipeline network, leading to the worst gasoline shortage in US history – was seized on Monday in an international law-enforcement action dubbed ‘Operation Cronos’ that also affected at least 11 other Russian-speaking cybercriminal channels. LockBit’s shutdown is likely to create a destabilising effect on the ransomware ecosystem.

[As of 20 February 2024 GMT 11.30:] THIS SITE IS NOW UNDER CONTROL OF LAW ENFORCEMENT. In addition, the data leak site mentions that the site is now governed by The National Crime Agency of the UK, acting in conjunction with the FBI and the international law enforcement task forces ‘Operations Cronos’.  The agencies also confirm that LockBit’s services are out of operation  due to the international law enforcement action – this is an ongoing development operation.

This news is significant as it comes at a time when the FBI director warns about cyber threats on U.S. critical infrastructure. A successful attack could disrupt critical services, such as power grids, oil and gas,  water, transportation, healthcare, and communication networks. 

According to VX-Underground, Lockbit ransomware group administration claims that law enforcement agencies compromised them by exploiting CVE-2023-3824.

LockBit – The Most Notorious Ransomware-As-A-Service Gang

One of the most significant ransomware services in the recent times is LockBit, which runs as a Ransomware-as-a-Service (RaaS) model. It has compromised countless organisations from around the world, paralysing businesses and emptying accounts. According to ransomware researchers from RecordedFuture, LockBit has been the most active ransomware group, responsible for almost 2,300 attacks.

LockBit is a RaaS, whose developers distribute the ransomware tools and infrastructure to affiliates, who conduct the attacks in pursuit of financial gain, sending part of the ransom back to the developers. In this way, LockBit can scale up its activity and stay off the radar by distributing the activity in a networked structure. They work on a RaaS (Ransomware-as-a-Service) model. They went after some well-known institutions in different sectors, triggering data breaches and business disruptions, causing financial and reputational loss, and without leaving their slogan: double extortion. The researchers found that LockBit was encrypting and stealing data from the victims too, before making the ransom demand.

A hallmark of LockBit is its double extortion tactic. It not only encrypts critical data but also exfiltrates it before encryption. This creates additional pressure on victims, as refusal to pay could lead to sensitive information being publicly leaked.

LockBit has undergone several iterations, with LockBit 3.0 being the current active version.

The CISA, to assist organizations in combating and mitigating LockBit 3.0 ransomware attacks, released #StopRansomware: LockBit 3.0, and Understanding Ransomware Threat Actors: LockBit cyber security advisories in 2023.

What Happened After To LockBit After FBI Take Down

In a conversation on the dark web forums, LockBit’s administrative staff confirmed to the VX-Underground team that “The FBI pwned me.”

[UPDATE] In addition, VX-Underground, which is covering the story closely, mentions that the Lockbit ransomware group had issued a message to individuals on Tox. “ФБР уебали сервера через PHP, резервные сервера без PHP не тронуты” that translates to “The FBI fucked up servers using PHP, backup servers without PHP are not touched.”

LockBit affiliates are currently unable to leverage the resources of LockBit, indicating a successful disruption of LockBit operations. The following is the screenshot that depicts what a LockBit ransomware affiliate sees when they log in to the LockBit affiliate portal.

As per the latest update, addressing its affiliates, the LockBit Ransomware team sent an email to all its affiliates, “Subject: Important Security Notice from Lockbit – Action Required,” asking them to reset their passwords and enable multi-factor authentication.

As of 20 February 2024, the LockBit ransomware dark web data leak website displays critical information related to LockBit, like Lockbit Backend Leaks, Lockbitsupp, Who is Lockbitsupp?, US Indictments, Sanctions, Arrest in Poland, Activity in Ukraine, Report Cyber Attacks!, Cyber Choices, StealBit down!, Affiliate infrastructure down, Lockbit’s Hackers exposed, Prodaft, Account Closures, Secureworks, etc. Most importantly, post-takedown, the Lockbit ransomware data leak website displays Lockbit Decryption Keys, Recovery Tool, Lockbit’s new encryption tool, and Lockbit Crypto.

This is a significant blow to cybercrime groups and definitely a message from law enforcement agencies.

What LockBit Ransomware Website Take Down Signifies?

This was ultimately a serious setback LockBit suffered. It is too soon to evaluate the full impact of this operation, but there are several reasons to believe that it can be just the beginning.

1. Undermining a Global Threat: LockBit’s client base is far-reaching, so taking out their infrastructure and their leak site prevents them from being able to operate internationally, while also instilling fear in any existing or potential affiliates.

2. A Message to Cybercriminals: The operation is sending the strong message that co-ordination between law enforcement agencies can disrupt even advanced cybercriminal groups and deter other groups in the dark web shadows.

3. Potential Victim Relief: While it’s not clear that any decrypters were passed on to victims, the disruption can provide some pathways to victims to recover data and also potentially reduce or redirect payouts to potential unethical decryptors.

This is a victory for law enforcement, including the FBI. LockBit’s take down is the result of international law enforcement and proper cyber hygiene working at its best. But it isn’t the end of it. As long as people remain ignorant to what’s going on, as long as they’re not exercising solid cybersecurity and as long as resources are not devoted to these efforts, then the space for cybercrime is everpresent.