LockBit ransomware operation re-establishes dark web presence

LockBit re-established its dark web presence on Saturday 24th February 2024, following disruption by law enforcement agencies on 19th February. The group has issued a statement, in both English and Russian, with a message regarding their negligence allowing for the disruption via Operation Cronos, with additional details regarding plans for future operational procedures.

The newly created dark web includes victim entries made just prior to Operation Cronos, regarding several breach victims, including the FBI (which was at the front of the operation targeting LockBit).

LockBit infrastructure developments

The LockBit cybercriminal group claimed that law enforcement obtained the decryption keys via Operation Cronos from “unprotected decryptors”. The threat actor defines these as file-encrypting malware that did not have the “maximum decryption protection” feature enabled. These are typically used by low-level threat actor affiliates who demand smaller ransom fees.

Intelligence indicates that LockBit operators intend to upgrade the security of their infrastructure and pivot to releasing decryptors manually. The gang also plans to host the affiliate panel on multiple servers and provide its associates with access based on a criterion relating to trust level.

Industry sector considerations

With the relaunch of the ransomware operation, LockBit threat actors have threatened to concentrate their targeting on the US government sector and, as such, organisations within the industry vertical are strongly recommended to remain highly vigilant to potential LockBit ransomware compromise. Further details can be found in the ‘Outlook’ section of this blog.

Geopolitical considerations

A LockBit representative stated that the reason that the FBI compromised their infrastructure was because of the ransomware attack that the group had deployed against Fulton County in January 2024. This posed the risk of disclosing data that the cybercriminal declared contained “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

Outlook

Despite the success of the disruption operation, organisations across the industry spectrum should remain highly vigilant regarding potential LockBit ransomware compromise.

The newly decentralised LockBit infrastructure model will likely result in future disruption efforts becoming significantly more challenging as the ransomware cartel pivots to a different set of tactics, techniques and procedures (TTPs) for its financially motivated operations going forward.

The re-emergence of the operations outlines how critical it is to implement ransomware preparedness strategies:

• Review and test your incident response processes
• Consider your business continuity and disaster recovery (BCDR) plans from a ransomware perspective
• Ensure your backup strategy is robust
• Make and document decisions ahead of time
• Pull together a list of third-party organisations that can help you.

Further details regarding recommended mitigation strategies can be found within our Quorum Cyber Threat Intelligence LockBit ransomware report.