LockBit is dead – long live LockBit?

In February 2024, the FBI, alongside international partners such as the NCA, announced that it had disrupted one of the most prominent and active ransomware criminal ecosystems across the globe, LockBit.  

Prior to the disruption, LockBit had been operating a ransomware-as-a-service model to a network of hackers around the world for four years. The prolific attacks had targeted thousands of victims, and caused billions of pounds, euros, and dollars in ransom payments and recovery costs.  

So, can the world sleep a little more soundly now? Unfortunately, not just yet.  

While it’s very positive news that government agencies have been able to successfully disrupt one of these international gangs, much like the myth that cockroaches multiply when you step on them, the skilled individuals that made up LockBit have scattered, becoming a significant concern – and that’s not a myth.  

Following LockBit’s disruption, the industry has identified an influx of some of the more skilled LockBit hackers to Akira, with a significant increase in attacks coming from this newly reinforced gang.  

DigitalXRAID’s Security Operations Centre (SOC) analysts are seeing a stark increase in lower skilled attacks from hackers using the LockBit name falsely, to scare enterprises into parting with ransomware payments.  

These hackers are trying to use similar tactics to the well publicised LockBit methods. The difference is that they seem to be targeting small to medium organisations and asking for much smaller sums.  

In fact, very quickly after the news of the dismantling was released, it appeared that LockBit itself had been revived.

News update: Following an alert from DigitalXRAID’s Dark Web Intelligence partner, Searchlight Cyber, we’ve been made aware that the infamous cybercrime forum BreachForums has returned, just two weeks after its seizure by the FBI. In what’s believed to be a PR stunt to boost the return of the forum and to revive its reputation, it’s advertising an alleged database of 560m Ticketmaster customers (including names, addresses, emails, and phone numbers and details of ticket sales). The notorious LockBit group has also reemerged to become the most prominent ransomware actor in May 2024, launching 176 attacks in this month alone.

So, what else are we seeing happening in the cyber world, and what should businesses be most aware of at this time: 

Ransomware Trends and Groups:  

Ransomware attacks remain a significant threat, with groups like BlackCat, CL0P, BianLian, Avos, Hunters International, and Rhysida being particularly active. These groups are increasingly moving towards data theft and exfiltration rather than relying solely on data encryption, reflecting a shift in their operational tactics to maximise financial gains from their activities. The first quarter of 2024 saw the record-breaking levels of ransomware attacks.

BlackCat: Also known as ALPHV, BlackCat is notable for being one of the first ransomware groups to use Rust programming language, which enhances its operational security and efficiency. BlackCat operates under the Ransomware-as-a-Service (RaaS) model, allowing affiliates to carry out attacks while the core developers focus on maintaining and updating the ransomware. The group has been linked to several high-profile attacks, including on infrastructure and energy companies. Their tactics include not just encrypting data but also stealing it before encryption, threatening to release it unless a ransom is paid.

This group targeted a major European energy provider last month. They used sophisticated phishing techniques to gain initial access to the company’s network. Once inside, they deployed their ransomware and exfiltrated sensitive operational data. The company faced significant operational disruptions, and BlackCat demanded a substantial ransom to prevent the release of the stolen data and to decrypt the affected systems.  

CL0P: This group has been active for several years and is known for targeting large corporations, often exploiting vulnerabilities in software used by these corporations to gain access. CL0P‘s operations typically involve data exfiltration followed by ransom demands, threatening to release the data publicly if their demands are not met. They have been involved in attacks on universities and companies, where they exfiltrated sensitive research data and personal information.

Recently, CL0P targeted a large university in the UK, exploiting a vulnerability in third-party file transfer software used by the university. They managed to exfiltrate research data and personal information of staff and students. CL0P then threatened to release this information unless a ransom was paid, putting considerable pressure on the institution to comply due to the sensitivity of the stolen data.  

BianLian: Originally observed as a banking Trojan, BianLian has evolved into a sophisticated ransomware operation. The group has been known to customise its ransomware for each target, a strategy that potentially increases the pressure on victims to pay the ransom. BianLian focuses on stealth and has been successful in evading detection by many security defences, making it particularly dangerous.

Last month, BianLian attacked a major retail chain, initially gaining access through a compromised endpoint. After moving laterally within the network to gain higher privileges, they executed their ransomware and extracted large volumes of customer transaction data. BianLian’s approach highlighted their shift towards data theft, using the threat of releasing customer data to leverage a higher ransom payment.  

AvosLocker: Emerging more recently, Avos is linked to several disruptive attacks, particularly against media and entertainment industries. Like other modern ransomware operations, Avos combines data encryption with exfiltration, pressurising victims into paying the ransom to avoid public disclosure of sensitive data.

Avos was responsible for a disruptive attack on a media company in Germany. They infiltrated the network through an email phishing attack that dropped a trojan to establish a foothold. Subsequently, they deployed their ransomware and extracted several unreleased shows and confidential contracts. Avos demanded a ransom not only to decrypt the affected files but also to prevent the public release of the stolen content. 

Hunters International: This group has been involved in targeting industrial entities and has shifted from mere ransomware deployment to comprehensive corporate espionage, involving data theft. Hunters International focuses on long-term access to victim networks, allowing for continuous data exfiltration and posing significant risks to targeted companies.

Known for their focus on industrial espionage, Hunters International recently targeted a manufacturing company in France. They breached the network by exploiting a poorly secured remote desktop protocol (RDP) session. After mapping the network and exfiltrating proprietary designs and financial records, they deployed their ransomware. The group threatened to sell the stolen information on the dark web unless their ransom demands were met.  

Rhysida: This group is known for its rapid deployment of ransomware following an initial breach. Rhysida typically exploits recently disclosed vulnerabilities before many organisations have patched them, allowing for effective attacks against unprepared targets. Their approach often involves swift attacks that aim to encrypt and exfiltrate data as quickly as possible to forestall defensive measures.

This group conducted a rapid attack on a healthcare provider in Spain by exploiting a newly disclosed vulnerability before the organisation could apply the necessary patches. They quickly spread across the network, encrypting critical systems and exfiltrating patient records. Rhysida’s operation was notable for its speed and the immediate impact on healthcare services, compelling the provider to consider paying the ransom to restore services urgently.  

Targeted Industries:

The oil and gas sector in Europe, including major European hubs like Amsterdam, Rotterdam, and Antwerp, has been significantly impacted by cyberattacks, notably by the BlackCat ransomware group. These attacks have caused substantial disruptions, including delays in the loading and unloading of refined products. Additionally, the British snack company KP Snacks suffered a ransomware attack that disrupted its supply chain across the UK.  

Incident Trends and Responses:

There’s a notable increase in the quality and sophistication of ransomware codes, which are now readily available as commodities in the cybercriminal ecosystem. Despite the advanced nature of these attacks, the recovery of encrypted data remains a significant challenge, often with no guarantee of full data recovery. 

Geopolitical Influence:

Cyberattacks have not only targeted commercial entities but also critical infrastructures and government systems, influenced by geopolitical tensions. Notably, a large-scale destructive malware operation was observed in Ukraine, impacting several government websites and ministries. 

Preventive Measures and Executive Concerns:

The increasing frequency and sophistication of these attacks have raised concerns at the board and C-suite levels within affected companies. It’s highlighted that making cybersecurity a standard agenda item is crucial for enabling necessary resources for prevention and response. 

It’s clear with the disruption and reincarnation of LockBit, that the battle against cybercrime is far from over. The dismantling of LockBit, while a significant achievement, has not eliminated the threat of ransomware altogether – either from former (current?) members or other organisations. 

This situation underscores a critical reality: in today’s digital age, it’s not a question of ‘if’ a cyberattack will occur, but ‘when’. The increasing complexity and frequency of these attacks means that businesses must adopt a proactive approach to cybersecurity protection. Relying solely on reactive measures is no longer sufficient. 

Engaging with cybersecurity experts is essential for building a robust security posture. By leveraging cyber expertise, businesses can enhance their resilience against threats, ensuring they are well-prepared to detect and respond effectively when an attack inevitably occurs.  

Businesses must stay vigilant and proactive, investing in comprehensive cybersecurity measures to safeguard their operations. Partnering with seasoned cybersecurity professionals will provide the necessary peace of mind, allowing organisations to focus on their core activities without the constant fear of cyberattacks. Remember, in the realm of cybersecurity, proactive action and expert support are your best defences. 

Hear more from Dark Web experts, Searchlight Cyber, in their latest podcast: The LockBit Takedown.