Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Industry responds to LockBit ransomware gang takedown

This week saw the world’s largest and most notorious ransomware gang – LockBit – taken down by international law enforcement in a sting led by the UK’s National Crime Agency and the FBI.

user icon Daniel Croft
Thu, 22 Feb 2024
Industry responds to LockBit ransomware gang takedown
expand image

As a result of the takedown, several members or users of the ransomware gang’s software were arrested and/or indicted, servers were seized, cryptocurrency accounts were frozen, and the group’s dark web leak site was taken over to not only display information on the threat group and advertise the availability of decryption but also to leak LockBit’s back-end data.

Now, industry leaders have weighed in on the issue, addressing the significance of such a large takedown while also discussing LockBit’s likely next move – rebranding.

Here is what they had to say.

============
============

Chester Wisniewski
Director, global field chief technology officer, Sophos

“The work of the UK’s National Crime Agency (NCA) and [its] international partners has delivered a severe blow to the world’s most prolific criminal ransomware syndicate. This is the most insight we have gained into how these groups operate since Conti’s implosion in May of 2022. The decentralised nature of these groups makes them particularly difficult to track down.

“Importantly, we are learning some critical facts about LockBit. It appears law enforcement has acquired access to the encryption keys used to lock up victims’ files and will provide them to help with recovery; hopefully, this will expedite recovery and lessen the impact for LockBit’s targets.

“It was also disclosed that for those who paid the ransom, their data was not, in fact, deleted by the criminals, which sadly should come as no surprise.

“Much of LockBit’s infrastructure is still online, but I don’t expect them to make a triumphant return. These groups continually rebrand and regroup under different banners to continue their ransacking of innocent victims’ networks and take on name identities to evade sanctions.

“It’s probably fair to say goodbye for now, but just like other groups before them, those who are not apprehended are likely to continue their crime spree. We must remain vigilant and not let our guard down.”

Nick Hyatt
Director of threat intelligence, Blackpoint

“The LockBit bust is obviously a big win for law enforcement. LockBit will likely go quiet for a time and come back as a rebranded organisation, much like other ransomware organisations that have been disrupted have done.

“That said, LockBit was one fish (albeit a big one) in a sea of ransomware gangs. The disruption of LockBit sends a message that law enforcement is watching, but ransomware syndicates know this.

“Organisations need to practice good security hygiene, understand their threat profiles, and have visibility into data that may be available on the dark web, which is where these gangs release the data they have stolen.

“Ultimately, governments, law enforcement and the security industry need to make a concerted effort to provide alternate means of recovery rather than paying the ransom – while disrupting LockBit is great, ransomware is still a billion-dollar industry and will remain a threat for the foreseeable future.”

Toby Lewis
Global head of threat analysis, Darktrace

“Although a partial takedown of the world’s most prolific ransomware gang is a huge win for global law enforcement, it likely won’t be fatal for LockBit. It’s probable we’ll see them go underground to regroup, retool and come out again, swinging.

“One interesting aspect, however, is LockBit’s reputation. Their affiliate model means reputation matters, and LockBit may struggle to retain credibility following this shutdown, even if they attempt a relaunch. They’ll likely do what any business would do – rebrand.”

“There will certainly be a lot of good from this. Law enforcement have seized nearly 1,000 decryption keys, so I’m optimistic that many of the current victims will be able to unlock their data and systems and, in the longer term, they could go on to turn the affiliate model on itself, using chat logs and information from private forums to pursue, shut down and arrest LockBit’s network of affiliates.”

Ray Carney
Director of security response and zero-day research, Tenable

“LockBit is a very successful criminal enterprise. Like any large revenue-generating enterprise, LockBit likely had established contingency plans in place.

“It’s widely believed that LockBit operates out of Russia, and as such, they almost certainly operate with some degree of state protection and support. They won’t take their ball and go home over this.”

Sandra Joyce
Vice-president, Mandiant Intelligence, Google Cloud

“Justice is served. This is a righteous, serious blow against a malevolent actor that has caused financial losses and real suffering all over the world.

“We couldn’t hope for much more in terms of a disruption to ransomware operations. This is the model we hope to see more of moving forward.

“But before we lower our defences, we should remember that LockBit operates in a marketplace where competitors are waiting to take their place. Hopefully, they’ll receive the same treatment.”

Charles Carmakal
CTO, Mandiant Consulting

“LockBit affiliates have hit children’s hospitals, government entities and various other targets – they are ruthless. These arrests, indictments and seizing of infrastructure and assets [are] substantial action[s] taken by global law enforcement.

“We’ve seen multiple major law enforcement actions lately, which is sending shockwaves through the criminal community. The impact of the law enforcement actions are reminiscent of some of the bold actions taken after the Colonial Pipeline incident in 2021.

“Many threat actors were genuinely concerned about getting arrested, since a lot of these operators have families and do this as their job. Some will reconsider whether the risk is worth it, given these actions.

“LockBit’s affiliates should be very concerned right now, especially as law enforcement continues to make decryptors available to victims. While some operators will likely continue with LockBit, some will move to other RaaS. Some operators, particularly those in countries where law enforcement is willing to make arrests, will likely scale back or give up out of fear of being arrested.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.