The U.K. National Crime Agency’s Cyber Division, the FBI and international partners have cut off ransomware threat actors’ access to LockBit’s website on Feb. 20, which has been used as a large ransomware-as-a-service storefront.

On Feb. 26, LockBit resumed operations at a different Dark Web address, according to Reuters. The ransomware gang stated that its administrators knew how the takedown had occurred (a vulnerability in the PHP programming language) and would run the operation from backup servers that do not have PHP installed. Meanwhile, Reuters reported that Britain’s National Crime Agency said the ransomware gang is “completely compromised.” The two groups continue to conflict, with particular emphasis put on an attempt to identify LockBitSupp, the person or people leading the gang.

What is the LockBit ransomware group?

According to CISA, LockBit was the most common type of ransomware deployed globally in 2023. LockBit ransomware could be deployed through compromised website links, phishing, credential theft or other methods. LockBit targeted more than 2,000 victims since its first appearance in January 2020, for more than $120 million total in ransomware payments.

The gang ran ransomware-as-a-service websites like a legitimate business, offering a data leak blog, a bug bounty program to find vulnerabilities in the ransomware, and regular updates. Attackers known as “affiliates” would be provided ransomware from the LockBit sites.

SEE: IBM and ISC2 are offering a joint cybersecurity certification course for beginners. (TechRepublic)

LockBit ransomware has been deployed against organizations across various industries, in particular manufacturing, semiconductor fabrication and healthcare. In addition, attackers using LockBit have turned the ransomware on municipal targets, including the U.K.’s Royal Mail.

LockBit website shut down

On Feb. 20, the U.S. Department of Justice announced that an international law enforcement action shut down numerous websites the LockBit gang used to launch ransomware attacks. Law enforcement groups from the U.S., U.K., France, Germany, Switzerland, Japan, Australia, Sweden, Canada, the Netherlands, Finland and the European Union contributed to the seizure of the LockBit sites.

Five individual alleged LockBit members have been charged for “their participation in the LockBit conspiracy,” according to the press release.

“Through years of innovative investigative work, the FBI and our partners have significantly degraded the capabilities of those hackers responsible for launching crippling ransomware attacks against critical infrastructure and other public and private organizations around the world,” wrote FBI Director Christopher A. Wray in the press release.

“For enterprise IT decision-makers, the incident serves as a vivid reminder of the necessity for robust cybersecurity measures, the value of collaboration with law enforcement and cybersecurity communities, and the need for an agile, informed response strategy,” said Lisa Plaggemier, executive director at the National Cybersecurity Alliance, in an email to TechRepublic.

Is there a decryptor for LockBit?

The U.K. National Crime Agency and international partners created decryption capabilities that can unlock data held for ransom by LockBit. Organizations targeted by LockBit can submit a form to the FBI to see if the decryption technology might work for them.

“We are turning the tables on LockBit — providing decryption keys, unlocking victim data, and pursuing LockBit’s criminal affiliates around the globe,” said Deputy Attorney General Lisa Monaco in the Department of Justice press release.

Threat actors’ responses to LockBit’s takedown

In the wake of the LockBit takedown, a team from cyber threat intelligence company Searchlight Cyber monitored Dark Web communication and found that some threat actors were unsure whether the LockBit site would be down forever.

“Even notorious actors (on the Dark Web forum XSS) known for their history of selling initial access to corporate networks – possibly even affiliates of the ransomware gang – were unsure if they should be concerned or not, not knowing to what extent the infrastructure of LockBit has been compromised,” said Vlad Mironescu, threat intelligence analyst at Searchlight Cyber, in an email provided to TechRepublic.

“We have also observed some threat actors actively blaming LockBit for bad operational security, among speculation that law enforcement agencies have leveraged vulnerabilities found in LockBit’s infrastructure to take the group down,” said Mironescu.

How to mitigate ransomware attacks

Follow cybersecurity best practices to reduce the risk of ransomware in your organization, including:

  • Don’t click on suspicious links or suspicious emails.
  • Keeping software and hardware updated.
  • Backing up your data, including storing critical data offline.
  • Applying the security principle of least privilege, giving users access only to what company data they need.
  • Using strong spam filters and firewalls.

Plaggemier pointed out that a good, multi-layered security strategy also includes employee education, robust endpoint protection, strict access controls and privilege management, threat intelligence services, application whitelisting, regular security audits, penetration testing and participating in collaborative information-sharing initiatives.

“This holistic approach ensures preparedness and resilience against ransomware attacks, protecting critical assets and data,” Plaggemier said.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday