The NCA Takes Control of LockBit RaaS Group's Enterprise

The operations of LockBit were disabled, and two individuals engaged in the illegal activities of the ransomware group were arrested.

Three hackers
The operation targeting LockBit allowed the UK National Crime Agency to acquire nearly 1,000 decryption keys, facilitating the retrieval of stolen data.

Yesterday, the UK National Crime Agency (NCA) made an important announcement regarding an international disruption campaign targeting the financially motivated cybercrime group behind the LockBit ransomware service. NCA specialists successfully infiltrated the network established by LockBit's malicious actors and seized control of their services.

"As of today, LockBit is locked out. We have damaged the capability and, most notably, the credibility of a group that depended on secrecy and anonymity," stated Graeme Biggar, National Crime Agency Director General, noting the possibility of criminals attempting to rebuild their illegal enterprise.

The NCA now controls the primary administration environment and the site used for publishing stolen data, planning to expose the criminal group's activities throughout the week. They have also gained access to details about the hackers' activities, their associates, LockBit's source code, and data belonging to LockBit's victims. With over 1,000 decryption keys obtained during the campaign, the NCA is now ready to assist LockBit victims.

Read also: FBI dismantles Hive ransomware group, provides decryption keys to victims

Due to a coordinated effort with international partners, two LockBit actors have already been arrested in Poland and Ukraine. Additionally, over two hundred cryptocurrency accounts linked to the group have been frozen, and some cryptocurrency projects, including Tether, have blacklisted addresses associated with LockBit.

Tether blacklists individuals associated with LockBit
Source: PeckShield, X

Meanwhile, the US Department of Justice has charged two criminals who utilized LockBit to conduct ransomware attacks, with indictments unsealed against two additional individuals.

The actors behind LockBit created an extensive enterprise with a network of affiliates and partnerships with other criminal groups and organizations like Maze, hiring network access brokers and recruiting insiders from targeted companies. Furthermore, the gang invested in attracting talented hackers by sponsoring technical writing competitions organized underground.

According to a recent article from the news outlet The Guardian, the Dark Web LockBit website stated the group was "located in the Netherlands, completely apolitical and only interested in money."

What is LockBit ransomware?

After gaining initial access to computer systems through various means typical for other types of malware, including unpatched vulnerabilities, insider access, purchased access, and zero-day exploits, LockBit takes control of them and collects information. The stolen data is then encrypted, making it inaccessible to the owner. Next, the hackers demand ransom payments for decryption, usually in cryptocurrency, particularly Bitcoin. Otherwise, the criminals delete the copy of the data possessed by the victim and make the information publicly available.

Although the NCA mentions that LockBit has been active for four years, America’s Cyber Defense Agency claims the criminal group already operated in September 2019 with its ABCD ransomware preceding LockBit, whereas the first LockBit-named ransomware was detected in January 2020.

The illegal activities of LockBit’s members reached their peak with the creation of the notorious StealBit, a malware tool automating data transfer to intruders. This solution was introduced with the release of LockBit version 2 (LockBit 2.0), commonly known as LockBit Red.

The criminal group further advanced their malicious applications by adding functionality for targeting Linux and virtualization software VMware ESXi with the introduction of LockBit Linux-ESXi Locker version 1.0 in October 2021. Subsequently, in March 2022, an even more sophisticated version of the malware, LockBit 3.0, was released, sharing its features with BlackMatter and Alphv, also known as BlackCat ransomware. This release was followed by LockBit Green, which utilized the Conti ransomware’s source code. Additionally, in April 2023, LockBit encryptors tailored for macOS were detected.

Fragment of a table including freeware and open-source tools used by LockBit Affiliates.png
Source: America's Cyber Defense Agency

America’s Cyber Defense Agency identified over forty freeware and open-source tools utilized by LockBit affiliates. Popular applications used for the remote connection to network devices, such as AnyDesk and TeamViewer, were abused by LockBit affiliate actors to establish and maintain remote connections to victims’ systems. Additionally, widely used software enabling the recovery of passwords from Windows, such as LostMyPassword, was exploited by hackers to obtain credentials for network access.

LockBit Varian Case, other notorious incidents, and ransomware statistics

While LockBit was responsible for about 1,700 ransomware attacks between January 2020 and May 2023 in the United States alone, with the total financial damage estimated at $91 million according to statistics cited by America’s Cyber Defense Agency, some incidents stood out. One of them was the ransomware attack targeting California-based healthcare firm Varian Medical Systems, which specializes in software for oncology applications.

Read also: Australia considers ban on ransomware payments after a major cyberattack

LockBit allegedly exfiltrated all of Varian Medical Systems' databases and patient data, threatening to publish the stolen materials if the ransom was not paid by August 17, 2023. However, the exact development of the situation remains undisclosed, as Varian claimed it had no evidence of a data breach. Reportedly, only a hospital in Seoul, South Korea, was affected by the incident.

DOTmed, a healthcare provider platform, quoted Jon DiMaggio, the chief security strategist of the Analyst1 group, who communicated with LockBit’s representative.

“Affiliates are leaving LockBit’s program for its competitors. They know that LockBit is unable to publish large amounts of victim data, despite its claims,” DiMaggio stated in an interview with Recorded Future News, explaining that LockBit's operational framework and limited bandwidth resources have posed significant hurdles in the data publication efforts. According to DiMaggio, the criminal group was increasingly relying on its reputation to scare victims with ransom demands.

In addition to the LockBit Varian case, the UK’s postal service Royal Mail, the Industrial and Commercial Bank of China, as well as aerospace giant Boeing, fell victim to the ransomware group in 2023. Notably, data stolen from Boeing was indeed published after the company refused to pay the ransom.

Whether DiMaggio's assessment of LockBit's current position in the criminal world is accurate or not, the impact of this group on various countries has been profound. America’s Cyber Defense Agency reported that 18% of total reported ransomware incidents in Australia between April 1, 2022, and March 31, 2023, stemmed from LockBit attacks. In 2022, LockBit was responsible for 22% of ransomware-powered exploits in Canada. During the same year, there were fifteen reports of LockBit ransomware in New Zealand, constituting 23% of all ransomware reports for that year.