Photo : Courtesy
Late on February 19, 2024, the main website of LockBit, the most prolific ransomware group in recent memory, was seized by the United Kingdom’s National Crime Agency (NCA). In cooperation with their international law enforcement partners at the United States FBI, the French Gendarmerie National, Europol, and others, the NCA seized the physical servers that operated the primary site and have arrested two men, one in Poland and the other in Ukraine. Additionally, the US on the same day announced sanctions of two Russian nationals for their role in the criminal syndicate.
This type of coordinated, multinational law enforcement action gives us new insights into how these organized crime groups operate, and also exposes some of the limits we have available to us to rein in this type of activity.
What exactly makes up a “ransomware syndicate?” Most of the time they appear to take the form of an anarcho-syndicalist commune. Usually, that includes a core group of software developers to build the websites, malware, and payment sites; someone to launder money; and someone with a decent grasp of English to negotiate payment with the victims. The actual attacks themselves are conducted by so-called “affiliates.” These affiliates sign up to use the platform and brand name to extort victims and share the proceeds.
Identity is fluid in the criminal underworld
Our first problem lies in that structure: These “groups” are mostly loosely affiliated and operating under a brand name. Shutting down the brand does not necessarily impact the core group members themselves. By the US issuing sanctions against some of its members, the brand “LockBit” is as good as dead. No US-based entity will be willing to pay a ransom to LockBit, but if they reemerge tomorrow as CryptoMegaUnicornBit or similar, it will start the cycle all over again. The sanctions are merely speed bumps, not real long-term solutions to the ransomware problem.
Security is hard
Being a professional criminal hacker does not make you magically great at securing your own infrastructure We have seen law enforcement “hack” criminal infrastructure in earlier cases as well, sometimes using zero-day vulnerabilities in browsers and tools, other times catching the criminals making an error by forgetting to use a VPN or Tor Browser, leading to their identification and apprehension. These operation security (OpSec) errors are ultimately the undoing of even the most sophisticated criminals.If we want to continue to increase the pressure on these groups, we must ramp up law enforcement’s ability to conduct these operations.
In criminals we trust?
Many victims have argued they paid the ransom to save their customers, employees, and shareholders from having their data exposed. The idea that paying extortionists to delete stolen data is a viable plan has been criticized by experts since the dawn of the crime itself. Not only should the NCA, FBI, Europol, and others strut and expose after a takedown, but researchers and others should continually expose chats, forums, and other access they have gained on public forums to show that what seems to be happening in the dark is likely on the radar of many.
This event will not end ransomware and may not even end the active participation of many involved in the LockBit cartel. What it does is advance our approach to disrupting these groups, increasing their cost of doing business and increasing the distrust among the criminals themselves. The criminals have been successful by creating scripts and patterns for how to systemically exploit victims and we may be approaching the turning point where the defenders have a script of their own. We must stand strong and support our law enforcement partners in this fight and work to hit them where it hurts most.
Messenger/Mumu
