As cybercrime has proliferated, one particular type of online crime has exacted an egregious toll: ransomware. Cybercriminals steal sensitive data from networks and then encrypt it as part of an extortion attempt to extract a ransom. The LockBit ransomware was the most prevalent ransomware strain globally in 2022, 2023 and into 2024, with concentrations of victims in North America and Europe. The group and the threat actors that use its malware have inflicted untold misery, financial and reputational harm to victims worldwide, including hospitals, churches and oncology centers.
The U.S. Department of Justice estimates that LockBit had infected at least 2,000 organizations around the world and collected at least US $120 million in ransoms. Since then, this group has continued to conduct dozens of attacks per month. Law enforcement has arrested and/or indicted a few individuals related to this large group of threat actors over time (see Mikhail Vasiliev, Mikhail Pavlovich Matveev aka Wazawaka and Ruslan Magomedovich Astamirov). Those actions, however, have not significantly impacted the group. However, law enforcement revealed Feb. 20, 2024, an offensive action striking at the group’s infrastructure. Data leak sites and other websites belonging to the group displayed a message saying the sites are now under the control of the National Crime Agency (NCA) in the U.K., the U.S. FBI and an international law enforcement task force dubbed Operation Cronos.
Operation Cronos
Operation Cronos is a long-running disruption operation against LockBit that, as announced by the NCA and Europol, led to the compromise and closure of LockBit’s primary platform and critical infrastructure. In total, Operation Cronos took down 34 servers in eight countries, froze more than 200 cryptocurrency accounts and led to the arrest of two LockBit actors in Poland and Ukraine. Further, three international arrest warrants and five indictments have been issued by French and U.S. authorities and over 14,000 rogue accounts linked to exfiltration and infrastructure were closed. The leader of the LockBit group, the threat actor LockBitSupp, claimed on the RAMP underground forum that a PHP buffer overflow flaw (CVE-2023-3824) was exploited to gain access to the group’s infrastructure.
The indictments unsealed by the U.S. government include two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev aka Bassterlord. Bassterlord is a long-standing prolific network access broker, hacker and ransomware operator.
The NCA has taken control of the technical infrastructure operated by LockBit, crippling its ability to operate at least in the short term, as well as its data leak blog website. The data obtained during the seizure of this infrastructure will likely be utilized for follow-on operations and furthermore, the collection of over 1,000 decryption keys will be used to aid victims of prior LockBit attacks. The FBI has created a LockBit Victim Reporting Form that can be used to aid prosecutions (such as writing victim impact statements and filing restitution claims) and also request decryption assistance. A LockBit 3.0 decryption tool has also been released on the No More Ransom website. In the coming days, investigators and private security companies plan to release more detailed data harvested from access to LockBit's systems about its infrastructure, cryptocurrency accounts, administration, tooling and more. These releases are promoted on LockBit’s own data leak site with countdown timers in the same style that the gang used to threaten victims with data releases if ransoms were not paid.
In this blog post, we review the origins of the LockBit gang, why this group rose in prominence and the effects the law enforcement action may have.
LockBit: A Destructive Force
LockBit started small in about September 2019 but quickly expanded. It was initially known as the ABCD ransomware, as encrypted files bore the .abcd file extension. But the group soon rebranded to LockBit, a portmanteau of the words “lock” and “bit.” Encrypted files used the .lockbit extension. LockBit collaborated with a ransomware group called Maze to upgrade its platform and data leak blog. Maze was one of the first groups to “double extort” victims. First, it would steal sensitive data and then encrypt it. If a victim had a good data backup regime and didn’t need to pay a ransom for a decryption key, they might pay if threatened with the public release of the stolen data. This model is now pervasive among ransomware groups.
The goal of a ransomware-as-a-service (RaaS) organization is to create an affiliate program that attracts as many affiliates as possible and thus more shares of ransoms paid by victims. Capturing market share is a combination of creating appealing terms for affiliates, running a trustworthy business and supplying the tooling needed to carry out efficient attacks. LockBit’s operation grew in scale by consistently delivering new product features, providing good customer support and at times, marketing stunts that included paying people to tattoo themselves with the group’s logo. Those who did so were purportedly verified with videos.
Two personas, LockBit and LockBitSupp, acted as the ransomware group’s spokesperson. The Russian-speaking actor first appeared on the Exploit and XSS cybercrime forums in January 2020 regularly and proved to be a mercurial figure (more on this in Analyst1’s deep dive into LockBit here) who criticized competitors. LockBitSupp was banned in February 2024 from Exploit and XSS following a dispute over payment with an initial access broker.
The LockBit group’s success has been due in part to software improvements to its ransomware variants. In June 2021, the group released the second iteration of its ransomware called LockBit 2.0. This version offered several enhancements, including faster encryption speeds and heavy obfuscation to help avoid detection. Later versions of LockBit 2.0 included automatic encryption of devices across Windows domains by abusing Active Directory group policies and a Linux version that exploited vulnerabilities in VMware ESXi virtual machines. The faster encryption meant that victims had less time to act once the encryption component of an attack began. LockBit claimed at the time that it had the fastest encryption software of any active ransomware strain. A year later, in June 2022, LockBit released its third ransomware version dubbed LockBit 3.0, which also came with a variety of advancements and helped ensure the group remained one of the top names in ransomware.
LockBit also upended the affiliate payment structure. As described on the blog of security company Analyst1, those who participate in a RaaS program use the tools and infrastructure provided by the RaaS program. The RaaS operator collects the ransom and then pays a percentage or part of it to the affiliate. Sometimes, however, affiliates did not get paid, and Analyst1 says this happened with some affiliates of the now-defunct REvil ransomware group. LockBit flipped the script, letting its affiliates collect the ransom and trusting them to pay it a portion. This made affiliates confident that they were not going to lose out on a payment, thus attracting more affiliates.
LockBit’s ascension also benefited from timing. Other prevalent ransomware groups had run into trouble after prominent attacks caused nations to intensify their ransomware-fighting efforts. For example, the REvil ransomware group was on the decline after a disruption operation by U.S. Cyber Command in October 2021. Law enforcement targeted the group after its affiliates carried out high-profile attacks. DarkSide, the group that carried out the infamous attack against U.S. energy company Colonial Pipeline in May 2021, called it quits after it was also disrupted by law enforcement and some of the bitcoin ransom Colonial Pipeline paid was seized. The Conti ransomware group, which was also one of the top RaaS groups, dissipated in early 2022 after gang members erred by expressing support for Russia’s action against Ukraine and after years of the group’s internal chats were leaked by a security researcher.
These voids in the ransomware landscape allowed LockBit to gain market share, attracting competent affiliates who lacked credible RaaS alternatives. Furthermore, the advent of intensified aggression by Russia against Ukraine in February 2022 and the subsequent pariahdom of Russia likely provided a less hostile environment for the group to operate from, since Russian law enforcement has less incentive to target threats affecting Western organizations. Additionally, the LockBit operators had strong business acumen and continued to ensure they were not outperformed by upstart competitors.
Looking Ahead: Ransomware Challenges
We predicted that LockBit’s dominance in the ransomware market would eventually attract attention from international law enforcement and competitors looking to upend their business. Although the group brought in numerous operational security (OPSEC) measures to ward against identification and possible capture, it is the knowing of when to quit that often provides the greatest assurance — a skill few groups have demonstrated in the past.
There are several angles from which to view the LockBit disruption. These types of law enforcement operations often have an upside for ransomware victims. Infiltrating a ransomware group’s infrastructure has allowed investigators to retrieve decryption keys. This has also happened with LockBit. As mentioned before, more than 1,000 decryption keys have been obtained and a decryption tool has been developed. This also occurred with the action against the Hive RaaS in January 2023. For seven months, investigators pulled decryption keys from Hive’s infrastructure and supplied them to victims without the gang’s knowledge. At least 336 victims were helped, preventing a potential of US $130 million in ransoms from being paid.
Infiltration of a ransomware gang’s infrastructure also allows for the collection of forensic evidence that could be used to uncover the real-world identities of ransomware actors, if not already known. There are already signs with the LockBit disruption that investigators may have wanted to make it known to threat actors that their OPSEC is flawed. A screenshot circulated on social media of a warning that purportedly appeared if affiliates logged in to their LockBit control panels. If this message is accurate, it could act as a deterrent to certain threat actors while also warning LockBitSupp and affiliates about the information law enforcement has obtained concerning their activities. The use of LockBit’s infrastructure to unveil different facets of the group’s operations certainly was a planned maneuver to undermine LockBit’s reputation in the underground and demonstrates the depths law enforcement operations can reach. While the full extent of the disruption remains unclear, it is highly likely LockBit operators and affiliates will maintain a low profile as news of the alleged arrests circulates and until more information becomes available.
However, ransomware actors have often regrouped and rebranded after their previous groups collapsed. For example, members of the Conti ransomware group are believed to be linked to Black Basta, which is an active group. Some members of the DarkSide group are believed to have become part of ALPHV aka BlackCat, which was the second most prominent ransomware variant after LockBit until it was disrupted by an international coalition of law enforcement partners in December 2023. This type of renewal is possible absent a sufficiency of arrests and prosecutions. Still, disruptions of infrastructure raise the costs for adversaries, and it also demonstrates the increasing capability to strike back against ransomware groups.
As events unfold in the coming days and weeks, LockBit operators and affiliates should be wary of the extent to which law enforcement has uncovered details about their activities. What is evident from the NCA’s media release today is that law enforcement has penetrated deep into the group’s infrastructure and inner workings. The abundance of valuable information and evidence gleaned will highly likely lead to future law enforcement action.