Take down of Lockbit won’t stop the hackers, warn security experts
Cybersecurity experts have warned that hackers could swiftly bounce back from a UK-led operation that disrupted what is believed to be the world’s largest criminal ransomware group.
Britain’s National Crime Agency (NCA), along with the FBI, Europol and other international police agencies, took control of ransomware group Lockbit on Monday.
A post on Lockbit’s dark web platform read: “This site is now under the control of the National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement taskforce Operation Cronos.”
Toby Lewis, global head of threat analysis at cybersecurity company Darktrace, said the takedown is a “significant achievement” but “it’s unlikely to be fatal for Lockbit”.
The prolific hackers may retreat temporarily before restructuring and resurfacing and, following the blow to their credibility, “they’ll likely do what any business would do – rebrand,” he added.
Graeme Biggar, the NCA’s director general, has said the group, thought to be headquartered in Russia, is responsible for a quarter of ransomware attacks in the past year.
Lockbit typically infiltrates the computers of businesses and organisations, encrypting data until a ransom is paid. Past high-profile victims include Royal Mail, Boeing and law firm Allen and Overy.
Biggar said: “Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.
“LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.”
Operation Cronos had been ongoing for a while, during which law enforcement gathered data and successfully breached Lockbit’s systems, gaining control of data on the group’s criminal activities.
On Tuesday, the NCA said it will be publishing a series of information “exposing Lockbit’s capability and operations” over the course of this week.
Adam Marré, chief information security officer at Arctic Wolf, a US-based cybersecurity firm, praised the operation as a “great success for law enforcement”. But he warned that groups can regroup quickly after disruptions.
“Given the dispersed nature of LockBit, it is also likely threat actors that aren’t involved in any follow-up arrests will still make use of the existing infrastructure not affected by this activity,” he added.
So far, Europol has reported the arrest of two LockBit actors in Poland and Ukraine, along with two affiliates detained and charged in the US. Additionally, two Russian nationals remain at large.