Although action by UK and US authorities against the LockBit ransomware gang is a major setback for its operations – and is likely to inhibit its ability to recruit affiliates – such criminal groupings are notoriously resilient and will probably just emerge under a different banner in the near future.
That’s according to Check Point Software Technologies’ threat intelligence group manager Sergey Shykevich, who was speaking to TechCentral in an interview on Tuesday.
“LockBit will still have data at its disposal and the possibility that it will use it in some way in the future is highly likely,” he said. “The threat from this criminal gang and other ransomware groups will continue.”
Britain’s National Crime Agency, the US’s Federal Bureau of Investigation, Europol and a coalition of international police agencies cooperated in an operation that took down the LockBit ransomware gang on 19 February.
Graeme Biggar, NCA director-general, said last month law enforcement officers had “successfully infiltrated and fundamentally disrupted LockBit”.
Over the past four years, LockBit has been involved in thousands of ransomware attacks on victims around the world, from high-profile corporate targets to hospitals and schools.
One of its most recent attacks was on the South African Government Employees Pension Fund (GEPF), which noted on 12 March that data purportedly from its administrator, the Government Pensions Administration Agency (GPAA), had been released by LockBit.
The fund said the GPAA had confirmed that preventive action was taken when it became aware of the attempted access to its systems. The action included “shutting down” all systems to isolate affected areas.
Prolific
The GEPF’s clients include about 1.265-million active members from more than 325 government departments as well as some 475 000 pensioners and other beneficiaries, but the GPAA said pension payments were not affected.
LockBit was the most prolific ransomware group globally until its operations were disrupted, and was by far the most active ransomware gang in South Africa, accounting for 42% of attacks in the last 12 months, according to Malwarebytes research.
The group typically stole copies of a victim’s data before encrypting it, to have two forms of leverage during ransom negotiations. Then they demanded payment in return for the data, threatening the release of the information through leak sites if a ransom wasn’t paid.
Read: World’s largest ransomware gang nailed
Shykevich said LockBit routinely attacked government institutions and state-owned enterprises but seldom had much success in this arena as governments usually refused to deal with extortionists and criminals.
Educational institutions are easy to target, according to Shykevich, because their networks are easy to access. “Often they have slim budgets and security concerns are not top priority for them,” he said.
He said LockBit will still have data available to it, and that it will find a way to use it in some way. “The takedown was damaging in terms of reputational damage,” he said, “ but no one was arrested and Russia has a policy where it does not extradite, so they will just rebrand or work for others.”
And it seems he is right.
LockbitSupp, the group’s administrator, has opened a new extortion site that features the names of five victim companies from which it is threatening to leak stolen documents. However, the site no longer shows any of the old listings from before the law enforcement operation.
Read: Smashing a criminal enterprise – inside the Lockbit ransomware takedown
The Russian hacker group claimed the servers containing stolen data remain intact. The FBI could not get hold of it, and they will be published in a new blog after “reconstruction”, it said.
The NCA’s Biggar said his staff had seen “some of the messaging that has come out from LockBit. This stuff can spin up in little ways. There are fragments and remnants of it knocking about online. But we have taken control of the core bit, we have destroyed a huge amount of data.” — © 2024 NewsCentral Media
