UPDATE - An international takedown operation targeting the LockBit ransomware group’s technical infrastructure, and hitting associated individuals with arrests, indictments and sanctions, was celebrated as a major win earlier this week.
However, questions remain about what types of long-term effects this law enforcement action will have, both on LockBit and on the ransomware threat landscape as a whole. Ransomware-as-a-service operations are distributed by nature, so even an operation as comprehensive as the one executed against the LockBit group isn't likely to completely eliminate the threat. The continued activity of some affiliates after this kind of disruption also illustrates the challenge of measuring the impact of these operations.
Over the last year, law enforcement agencies have carried out varying types of disruptive measures against ransomware groups, including efforts to target infrastructure, seize backend servers and take down darknet sites, as seen in the Hive and BlackCat disruptions. Other operations - including ones against Ragnar Locker - have gone a step further by taking action against the individuals behind these groups themselves, including arrests, sanctions and indictments. Many of the operations, including the one against LockBit, have also led to the release of decryptors for these ransomware families, allowing targeted businesses to recover their files.
While these takedown operations certainly have a positive impact, there are deep-rooted difficulties in measuring substantial long-term changes. Different factors make this assessment more difficult, including the varying scale of disruptions - whether they include a hit to infrastructure or if cybercriminals are being locked up, for instance - and the complexity of the ransomware ecosystem, which includes both operators and affiliates.
“It is actually really hard to track the impact of ransomware takedown operations for many of the same reasons that it is hard to track ransomware attacks overall,” said Allan Liska, intelligence analyst with Recorded Future. “A lot of the challenges stem from the fact that we are often reliant on cybercriminal reporting for tracking ransomware attacks. When a large operation, such as LockBit or Hive, is taken offline we often don't know if there is a real dip or if it is just taking a while for the regrouped ransomware actor to get a new data leak site online.”
Looking at the Ransom Data
Part of the problem stems from difficulties in measuring the scale of ransomware attacks themselves. The data available here is highly fragmented, but examining trends in the ransom payments that are made during these attacks can help provide valuable insight, said Jackie Burns Koven, head of Cyber Threat Intelligence at Chainalysis.
“Ultimately, we want to see total ransom payments decline over time, or at least make it harder for threat actors to cash out,” said Koven. “Measuring total ransom payments and their difference year-over-year is a good benchmark to track to understand the overall ransomware ecosystem.”
Chainalysis looked closely at the Hive takedown operation announced by law enforcement in 2023; as part of this operation, the FBI targeted infrastructure and released decryption keys to help victims. The FBI estimated that the release of the decryptor prevented $130 million in payments to Hive; however, that takes into account just the impact of the decryptor and does not take into account how the operation impacted the broader activities of ransomware affiliates, and Chainalysis estimated that the operation “significantly altered the ransomware landscape as a whole last year.”
“During the six months the FBI infiltrated Hive, total ransomware payments across all strains hit $290.35 million,” according to Chainalysis. “But our statistical models estimate an expected total of $500.7 million during that time period, based on attacker behavior in the months before and after the infiltration — and that’s a conservative estimate. Based on that figure, we believe the Hive infiltration may have averted at least $210.4 million in ransomware payments.”
While this is one source of information, looking solely at the ransom payments has its limitations. For one, this data doesn’t take into account organizations that have been hit but opted not to pay a ransom; such as MGM Resorts International, which was hit by a ransomware attack last year in which it did not pay (though the incident still cost the company approximately $100 million). Tracking ransom payments also excludes external factors that may influence the ransomware ecosystem, including the infighting or dysfunctional operations that occasionally play out within ransomware groups.
The FBI, for its part, said that for every FBI cybercriminal case it has looked at the impact that the operation has had on the victims.
"Going back as far as Sodnokibi, then Hive, Blackcat, and now Lockbit the FBI and our partners have provided decryption capabilities to victims of ransomware attacks," according to the FBI. "We also look at the impact to the cyber criminal ecosystem and what we call the key services, malware, infrastructure, communications, and finances. Taking out one of the key services disrupts the threat actors abilities to attack victims. In Lockbit, the NCA and FBI seized and destroyed all Lockbit's infrastructure. While a subject can stand up new infrastructure, we made it more difficult for them to operate and prevented countless new victims.”
When following up on the impact of the LockBit takedown operation, “we could conduct an analysis similar to the one we conducted around Hive,” said Koven.
“But overall we will be looking to see how Lockbit affiliates adapt after the takedown and how other ransomware actors potentially change their operating procedures in light of the actions taken against LockBit. Will they lose trust and leave the illicit business? Will LockBit affiliates migrate to work more with other groups? Will new ransomware strains emerge?”
More Public Data
Another way to measure ransomware operations - and thus the impact of law enforcement crackdowns - is by tracking the attacks via public incident reporting, through the number of victims posted to extortion sites or in privately collected data from incident response.
This data paints a somewhat different perspective of the Hive takedown. Recorded Future’s Liska said researchers tracked a “fairly significant” dip in reported ransomware attacks the month after that disruption, but Hive’s affiliates soon migrated to use ransomware like LockBit or BlackCat (also known as ALPHV), and attacks soon picked back up. Again, when law enforcement disrupted BlackCat infrastructure in December 2023, researchers with Recorded Future saw a “big drop” in January 2024.
“What will be interesting to see is what impact the stacking of these takedowns, ALPHV followed so quickly by LockBit has on the numbers - in other words, how disruptive back-to-back major government actions against ransomware groups really is,” said Liska.
Still, there are challenges here in capturing the full picture and making direct correlations. The current availability of public data is limited, and even with that data available there are several unknowns about who the victims are, if a ransom was paid, and whether any specific aspects of a law enforcement operation - whether an arrest or a sanction - had a more meaningful impact.
“It’s a work in progress,” said Megan Stifel, the chief strategy officer at the Institute for Security and Technology and co-chair of the Ransomware Task Force. “There are facts and figures that have been cited in this [LockBit] press release, but unfortunately any efforts to measure at this stage are still not where we want them to be because we don’t have reporting requirements in place yet. Once we do, I think that it will go a long way toward helping us better measure the impact of arrests and takedowns.”
From a long-term perspective, more consistent cyber incident data reporting could translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective in hindering cybercriminals, such as sanctions by governments or disruption efforts.
Currently, however, a number of challenges are preventing that full picture from coming together. The government relies on regulatory policies for cyber incident reporting, but the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents. There are also concerns about the government’s realistic ability to process and analyze data once it has been reported - and on the other side, the right incentives are needed for organizations that have historically feared reputational backlash from reporting.
In the meantime, Stifel hopes that a better relationship between the government and private sector will maximize the information sharing needed to track takedown efforts like the one against LockBit.
“The ongoing monitoring of the impact of this takedown is important,” said Stifel. “It’s important here that law enforcement engage with the industry to look for reflections of this takedown. Once you throw the rock there will be impacts - it will create ripples, and it’s important to watch where those ripples reach other targets.”
This article was updated on Feb. 26 to include comments from the FBI.