LockBit bids to save face after NCA takedown

Unreliable narrator

It is important to remember that as a cyber criminal ransomware operator, LockBit’s message will not have been motivated by a desire to set the record straight in any factual sense of the term. Given LockBit was already in decline as an operation, even though it continued to conduct damaging cyber attacks, the messaging around its reemergence should in fact be read in this context.

“The purpose of the message is not to communicate fact, but to engage in PR and reputational damage control for the LockBit brand as a show of strength,” said WithSecure senior threat analyst Stephen Robinson.

“This was an extremely comprehensive takedown which targeted the assets which are the true strength of Ransomware-as-a-Service [RaaS] brands such as LockBit – the brand itself and the affiliates who carry out operations and the group’s financial assets.

“The cyber events were coordinated with high-profile real-world law enforcement agency (LEA) operations to arrest LockBit associated individuals. The seized site was used by LEAs to send a warning message directly to affiliates. The LockBit leak site and brand was used by LEAs to thoroughly mock and denigrate LockBit and their affiliates, and LEAs have stated that they seized 200 plus cryptocurrency wallets, and 1,000 plus decryption keys,” he added.

An expected development

Semperis vice-president for the UK and Ireland, Dan Lattimer, said he was entirely unsurprised that LockBit had quickly resurfaced.

“This cyber crime group has stolen more than $100m in ransom payments in the last year alone; they weren’t going to go quietly in the wind after being embarrassed by a contingent of global law enforcement agencies,” he said.

“Overall, the fight between defenders and adversaries is a round-the-clock battle and it was only a matter of time before the group resurfaced in its entirety or its members joined other ransomware groups.

“I was cautioning Semperis’ customers and partners last week not to lose sight of the fact that LockBit would resurface and to always have an assumed breach mindset. You can never let your guard down against threat actors and building operational resiliency, including a backup and recovery plan is vital to protecting critical assets of your employees, customers and partners,” said Lattimer.

Rubrik EMEA CISO Richard Cassidy added: “One has to question if the financial resources of groups such as Lockbit, are somewhat broader in scope, than the law enforcement teams tasked with their disruption. Lockbit are extremely well funded through the success of their operations, having amassed circa $91m from US organisations alone, therefore they have the economic power to regroup and develop new tactics, techniques, and procedures, learning and adapting from the errors that led to their disruption, thus reinventing their approach, as necessary.

“This cyclic nature of law enforcement disruption and the resurgence of these ransomware groups points to a broader issue within the cybercrime ecosystem. The issue fundamentally is the drivers behind ransomware attacks, such as financial incentives, the relative anonymity of cryptocurrency transactions, and the ad-infinitum discovery of vulnerabilities that remain unaddressed.

“Until then we can expect the rinse-repeat cycle of disruption and resurgence to continue for the foreseeable future,” said Cassidy.