Security news that informs and inspires

Post-Disruption, LockBit’s Reputational Damage Key


New research from Trend Micro, which looked at the activities following the LockBit disruption announced over a month ago, found that the law enforcement operation has a “significant impact on the group’s activities.”

While the sweeping Operation Cronos disruption targeted LockBit’s technical infrastructure, involved arrests and included the release of a decryption tool for victims to recover encrypted files without paying a ransom, law enforcement efforts to sow distrust and hit LockBit’s brand had arguably the biggest impact on undermining the ransomware-as-a-service model behind the group, Trend Micro researchers said.

“Contrary to what the group themselves have stated, activities observed post-disruption would indicate that Operation Chronos has a significant impact on the group’s activities,” according to Christopher Boyton, researcher with Trend Micro, in a Wednesday analysis. “With Operation Cronos, we saw a new approach to combating ransomware. Disrupting and undermining the business model seem to have had a far more cumulative effect than executing a technical takedown… affiliates will likely consider all the publicly available information and opt to work for other groups; or better yet, they might reconsider if ransomware is too high-risk of a venture.”

Law enforcement agencies globally have made strides in working together to better launch operations against ransomware groups, but it’s difficult to measure the success of these types of operations. Trend Micro’s research closely tracked the group’s activities in the weeks following the takedown, including detailed information about the types of victims posted to its leak site, changes in how its leak site has been operated and discussions in underground forums.

Perception Versus Reality

One aspect that makes it difficult to understand if disruption efforts are working, at least on the surface, is that oftentimes impacted ransomware groups will make public announcements discrediting law enforcement efforts or insisting that their operations are running normally. That was exactly the case after the LockBit disruption, with LockBit admin “LockBitSupp” announcing in the days after Operation Cronos that the group was returning with new Onion sites and adding a new leak site with as the first alleged victim. In the week after the disruption, researchers also observed discussions on underground forums showing that cybercriminals across the threat landscape still believed that the group would simply rebrand and return, as other groups like Conti and Hive had.

However, digging deeper into the details shows a different picture. After the operation researchers found a clear drop in the number of LockBit infections. While at the surface, it looked like the group was operating as it had before, with 95 victims posted to its leak site. But researchers found that over two-thirds of those victims were actually reuploaded from attacks that had occurred prior to the takedown. Additionally, 10 percent of the victims posted on the leak site were recently posted by other groups, including ALPHV victims.

“Another interesting observation is the distribution of countries after the disruption compared to normal LockBit operations,” said Boyton. “Following the operation, LockBitSupp appears to be attempting to inflate the apparent victim count while also focusing on posting victims from countries whose law enforcement agencies participated in the disruption. This is possibly an attempt to reinforce the narrative that it would come back stronger and target those responsible for its disruption.”

The breadth of Operation Cronos was multifaceted and impacted everything from LockBit’s infrastructure backbone to members’ ability to access cryptocurrency accounts linked to the ransomware group. On the technical infrastructure side, the operation took down 34 servers in various countries, froze 200 cryptocurrency accounts and closed several thousand “rogue accounts” responsible for exfiltration. Two LockBit actors were also arrested in Poland and Ukraine at the request of the French judicial authorities, and three international arrest warrants and five indictments were also been issued by French and U.S. judicial authorities.

However, what really has set the disruption apart is its impact on LockBit’s brand and image in the cybercriminal landscape, said Boyton. Operation Cronos led to the leak of the group’s back-end information, which revealed its internal workings and victim data and disclosed affiliate identities. This could potentially scare away valuable affiliate groups that are now questioning a return to a previously compromised operation.

Reputational Attack

While it has only been a month since the disruption, the targeting of LockBit’s image could have long-term impacts for the group. It’s important to note that other cybercriminal groups - including the ones behind Emotet and Qakbot - eventually re-emerged despite successful short-term disruptions. Additionally, ransomware groups have also bounced back under new names or brands. Still, while ransomware-as-a-service operations are distributed by nature they do need to maintain a certain level of reputation to operate effectively in the cybercriminal ecosystem.

“We were never going to be able to completely shut down LockBit without help from Russia, so this type of operation is the next best thing,” said Allan Liska with Recorded Future. “Make no mistake, LockBit is back and the affiliates who have stuck around are hitting new targets. But their capacity seems to be diminished, for now. We’ll see how long that lasts.”

Boyton said that there’s a valuable lesson to be gained from Operation Cronos, and part of that is tied up in the ability for law enforcement on the defense side to work closer together, as these types of operations decrease the level of trust amongst cybercriminals. The disruption effort, coordinated by Europol and Eurojust, involved law enforcement from 10 countries, for instance.

“This modern approach to tackling cybercrime shows how powerful collaboration among multiple law enforcement agencies, cooperation between trusted partners in the industry, and arguably the most important factor — patience — can be in thwarting high-profile cybercrime groups,” said Boyton. “Had law enforcement gone for the traditional takedown approach, we would have likely seen a rapid recovery from the group. In its spearheading of this new multilayered disruption approach, the [UK’s National Crime Agency] and its partners have set a new standard on how such operations can be carried out in the future.”