Countering ransomware remains one of the top priorities for nations and their law enforcement and intelligence agencies. The growth of ransomware, which can largely be attributed to its high profits combined with the safe haven given to ransomware actors in Russia, has evolved into a cybercrime battle with no perfect solution. The transnational nature of this crime has caused law enforcement to mount complex technical operations against these groups. Those operations have aimed to identify and name perpetrators, disrupt technical infrastructure, make arrests where possible, impose sanctions and seize their cryptocurrency. Some of these operations have immediately stopped some ransomware groups. The impacts of other operations have caused a denigration in the capabilities of ransomware groups that eventually resulted in the end of their operations.
Until recently, the LockBit ransomware-as-a-service (RaaS) reigned uncontested as the most impactful ransomware group operating within the cybercrime underground. Its notoriety hinged on bold marketing stunts and an outspoken leader, the threat actor LockBitSupp. However, it was the sheer number of victims, which at last count may have been as high as 7,000, that propelled the gang into the spotlight and the crosshairs of law enforcement. In two separate actions in February 2024 and May 2024, law enforcement struck back at LockBit in Operation Cronos, an operation that deeply infiltrated its infrastructure. As of this writing, the group continues to function. In this post, we will analyze the effects of takedowns and disruptions against several high-profile ransomware groups including ALPHV, Hive, Ragnar Locker, REvil and NetWalker, with the aim of providing a projection of the future of LockBit.
Operation Cronos Recap
On Feb. 19, 2024, the LockBit RaaS was disrupted in an operation U.K. National Crime Agency (NCA) officials conducted in cooperation with partner law enforcement agencies.
On Feb. 20, 2024, the U.S. Department of the Treasury announced the designation of two individuals affiliated with LockBit: Artur Sungatov and Ivan Gennadievich Kondratiev aka Bassterlord, FishEye. Additionally, two suspects allegedly implicated in the LockBit gang’s activity were taken into custody in Poland and Ukraine.
On Feb. 24, 2024, the actor LockBit posted a lengthy statement on the RAMP forum admitting negligence with regard to network security and provided an assessment of how the infrastructure was penetrated, likely through the exploitation of the CVE-2023-3824 vulnerability. The actor also claimed to have recovered portions of LockBit’s infrastructure and stated the victim name-and-shame blog was available at a new Tor domain.
On Feb. 25, 2024, LockBit threatened to purchase "all .gov .edu .org" compromised network access credentials. The actor also indicated there would be reprisals for the disruption and allegedly planned to attack the government sector “more often.”
On May 5, 2024, former LockBit data leak sites that were seized in the previous disruption in February 2024 came back online as law enforcement promised new information about the group’s illegal and damaging activity. The sites displayed countdown tiles in the same style as how LockBit listed ransomware victims, including short descriptions about what was planned to be revealed.
On May 7, 2024, U.S. law enforcement unsealed an indictment against Russian national Дмитрий Юрьевич Хорошев (Eng. Dmitry Yuryevich Khoroshev), born April 17, 1993, for an alleged role in running the LockBit RaaS affiliate program. The actor also allegedly operated the putincrab and NeroWolfe online personas on multiple forums.
Operation Cronos Impact
The February disruption had an immediate impact on the number of victims that LockBit claimed to have attacked compared to the same period one year prior. When a threat group claims to have attacked an organization, we immediately publish a Breach Alert on our platform. From Jan. 1, 2024, to Feb. 18, 2024, the day prior to the initial disruption, we published 145 Breach Alerts about victims LockBit claimed to have attacked. Since the relaunch of the group’s data leak blog in late February 2024 until May 16, 2024, we published 154 Breach Alerts about victims LockBit claimed — significantly fewer than the 268 victims we reported during the same period the previous year. Of those 154 “new” victims, we discovered at least 48 were duplicates from previously executed attacks prior to the initial disclosure of Operation Cronos and likely carried out as early as July 2022 until a few days before the disruption announcement. The group also listed alleged victims compromised by other ransomware groups, predominantly the ALPHV RaaS, although the exact dates and responsibility of the compromises remained unclear at the time of this report. We acknowledge that these figures could change, as there is usually a lag time of several weeks to months between when an organization is compromised and when that organization’s data is published on a data leak site. Nevertheless, the disruption to LockBit’s operational processes likely has and will result in a gradual downtick in victims.
Other Ransomware Groups Benefit
RaaS groups depend on attracting other groups of threat actors, or affiliates, to rent their infrastructure and malware. These affiliates pay a share of ransoms that come from successful extortion schemes to the RaaS. The LockBit group ran one of the largest RaaS programs. By gaining access to LockBit’s infrastructure, law enforcement uncovered that the program had more than 190 affiliates. In December 2023, around two months before the first action against LockBit, law enforcement conducted an operation against ALPHV aka BlackCat, which was the second most impactful ransomware group in 2023 following LockBit.
By March 2024, ALPHV was no more after pulling what appeared to be an exit scam, and the ransomware landscape subsequently began to show the effects of the disruptions of both groups. The increased law enforcement scrutiny surrounding ALPHV and LockBit possibly forced many affiliates still looking to remain active to shift to other RaaS programs. Like any service industry, actors often look for the most attractive package before committing, which prompts competition between RaaS programs for their business. When a customer loses faith in a brand, they can move to another — especially after law enforcement action. With this in mind, the migration of ALPHV and LockBit affiliates to other ransomware programs after their disruption was inevitable.
Several existing and recently created ransomware groups including BlackSuit, Black Basta, Hunters International, INC., Medusa, Play and RansomHub became more active. The Play group showed a significant spike in breaches from January 2024 to March 2024 from five to 43, then a notable decline to 25 breaches in April 2024. The Play group is considered a veteran of the ransomware market and has been in the top three most impactful groups over the last six months. A newcomer to the ransomware market, the RansomHub RaaS, which emerged in early February 2024, showed growth in its infections from just four victims in February 2024 to 13 in March 2024 and 16 in April. In early April 2024, we reported the actor notchy, a former ALPHV affiliate who was responsible for an attack against the U.S.-based health care technology company Change Healthcare Inc., allegedly joined the RansomHub program. Additionally, the BlackSuit ransomware group claimed to compromise 20 victims in April 2024 compared to eight victims in March, and the Hunters International group increased its victim count by more than 65% from 15 entities in March 2024 to 25 in April. We also observed the INC. RaaS, which surfaced in August 2023, claimed to compromise 26 victims in March and April 2024 after a pause in activity in February 2024.
At least one group made a direct push to recruit LockBit affiliates and capitalize on the group’s problems. In late February 2024, the Medusa RaaS announced an intake of new affiliates and offered high ransom cuts from 70% to 90%, 24/7 support and the availability of several “teams” within the group including an administrator team, media team and negotiators. Other groups almost certainly sought to capitalize on emphasizing “trust” as a core value to reassure would-be members who were stung by the law enforcement actions.
Previous Disruptions: What Can We Learn?
The ransomware ecosystem has experienced several law enforcement operations throughout the past few years. We assess that by looking at historical disruptions and takedowns against ransomware programs and their effects, we can better evaluate the likelihood of possible scenarios regarding the future of the LockBit RaaS. Below is a timeline of multiple disruptions of several high-profile ransomware groups including ALPHV, Hive, Ragnar Locker, REvil and NetWalker, which resulted in complete or partial closure of the groups’ operations.
One Outcome: Immediate Impact
The activity displayed in Figure 2 indicates law enforcement and intelligence agencies continue to improve anti-ransomware tactics dedicated to hampering and dismantling ransomware infrastructure. Disruptions against Hive, NetWalker and Ragnar Locker all resulted in the complete cessation of group activity. The operation against Hive in particular is unlike that of Operation Cronos due to the advanced level of penetration law enforcement agencies were able to achieve and the protracted nature of the operation. This disruption highlights the impact of a well-implemented announcement and information campaign. The group failed to post new victims following the operation and the eventual sale of Hive’s source code and infrastructure signaled the definitive end of the group. The NetWalker RaaS also did not post any new victims after it was impacted by law enforcement action.
Prolonged inactivity suggested NetWalker had completely vanished. However, on Jan. 24, 2024, we discovered a new victim shaming and data leak blog operated by the Alpha aka Alpha Locker, MyData group. In early March 2024, we examined the Alpha ransomware operation, which first was observed in February 2023. Our findings together with research conducted by the Symantec endpoint protection software provider revealed several similarities and technical overlaps between Alpha ransomware and NetWalker. While it was unclear whether the same threat actor or actors operated Alpha ransomware or if another actor acquired and repurposed the code, the similarities suggested a strong connection between the two groups. Nevertheless, we reported the Alpha group impacted only 13 victims from January 2024 to April 2024 and assess it is unlikely to compete with other existing or recently created RaaS groups vying for the top spots left open by the demise of ALPHV and blow to LockBit.
Another Outcome: Delayed Impact
While some law enforcement action leads to the near immediate and complete closure of ransomware operations, other disruption attempts take longer to reveal their full impacts. For instance, after REvil’s infrastructure went offline in July 2021, the group remained somewhat active until law enforcement action was disclosed in October 2021. However, it only posted nine victims, which is significantly fewer than the number of victims claimed before the disruption.
Additionally, after the announcement of arrests and further takedowns of REvil-related individuals and infrastructure in November 2021 and January 2022, an actor or actors claiming to be a part of the REvil ransomware group launched a Tor-based victim shaming blog in late April 2022, and we reported the group allegedly impacted 15 victims from April 2022 to November 2022. However, it was unclear if these perpetrators belonged to the original REvil group. Moreover, the underground community expressed skepticism over this alleged REvil return, with many actors believing it was additional law enforcement action. Others stated REvil irreparably lost its credibility and reputation after the loss of infrastructure and group members’ arrests. Consequently, the initial unexpected infrastructure shutdown, an array of law enforcement efforts and subsequent announcement of arrests and indictments put an end to the REvil gang.
The disruption of ALPHV is another example where the effects of law enforcement action were not immediate but still assisted in the demise of a notable RaaS. In the 75 days between the disruption and eventual termination of ALPHV, the group posted 63 victims to its name-and-shame blog — fewer than the 89 victims claimed during the same period preceding the disruption. Additionally, the RaaS possessed several similarities to LockBit in terms of victim numbers, affiliate base and profile. The disruption also demonstrated some parallels, such as the seizure of domains, which was contested and then subsequently restored. The disruption of ALPHV was well publicized and caused shockwaves in the underground, prompting many other ransomware groups, including LockBit, to try and poach unsettled ALPHV affiliates. While the eventual termination of ALPHV operations may not have been the direct result of law enforcement action, the damage to the group’s image and loss of revenue almost certainly played into its calculations when deciding to conduct an exit scam.
Assessing LockBit’s Future
There are several possible developments that could play out in relation to LockBit’s future moving forward. We assess the selection of drivers seen in the images below likely will be integral to LockBit’s fate. We then made informed assumptions on the trajectory of these drivers, which led us to our baseline, plausible and wildcard assessments.
We assess our baseline theory as the most likely outcome for LockBit’s future. Since relaunching its data leak site in late February 2024, we recorded significantly fewer victims listed. While the number of victims claimed post-disruption still makes the group one of the more impactful in the ransomware ecosystem, the figure is far less than we recorded during the same period the previous year. Furthermore, open source reports alongside our own research showed duplicates from previously executed attacks on the list of alleged “new” victims LockBit claimed post-disruption. While we acknowledge not all victims always are named, the drop is stark and indicates group members likely are struggling to encourage remaining affiliates to resume operations.
Moreover, the recent reveal of LockBitSupp’s real-world identity possibly will compound this decline. Although Operation Cronos was relatively limited in scope, the highly public nature with which it was conducted helped to amplify the impact. The slow drip of information is further evidence of this method and likely will cultivate additional anxiety to LockBit affiliates who possibly will lose faith in the RaaS and seek to abandon the project. Since the initial disruption, LockBitSupp has been vocal in trying to assuage doubts and likely will continue to seek to rebut any claims about the actor's identity. Nevertheless, new and existing variants likely will take advantage of affiliates now without a program, increasing their activity and profits at the expense of LockBit’s demise. However, if LockBit activity ceases altogether, we cannot rule out the possibility of a rebrand in the future, of which the success would be uncertain.
On a broader scale, with the continued rise in law enforcement action and disruptions against cybercriminal activity, we maintain our assessment that threat actors likely always will strive to develop tactics, techniques and procedures (TTPs) and enhance operational security (OPSEC) to circumvent apprehension or interference to their illicit activity. Consequently, law enforcement action against cybercrime remains somewhat cyclical — cyberattacks grow in prominence, causing a proportionate increase in arrests, takedowns and disruptions. Threat actors respond by altering their activity, such as avoiding certain targets or attack vectors, until law enforcement abates, at which point threat actors may resume their activities.
For more threat intelligence and research about the ransomware ecosystem, please contact Intel 471.
