News
Comment: LockBit “given a taste of their own medicine”
February 2024 by Huseyin Can Yuceel, security researcher at Picus Security, and Andy Kays, CEO of Socura
Overnight, news broke that international agencies including the NCA, FBI and Europol had disrupted the operations of notorious ransomware group, LockBit. More updates are expected at 11.30am GMT https://www.reuters.com/technology/cybersecurity/lockbit-cybercrime-gang-disrupted-by-international-police-operation-2024-02-19/
Both suspect that LockBit will re-group quickly unless arrests are made, and explain how Operation Cronos was able to give LockBit operators “a taste of their own medicine” by exploiting LockBit’s server vulnerabilities.
Huseyin Can Yuceel, security researcher at Picus Security
“Ransomware groups often leverage public-facing vulnerabilities to infect their victims with ransomware. This time, Operation Cronos gave LockBit operators a taste of their own medicine. According to LockBit admins, the law enforcement agencies exploited PHP CVE-2023-3824 vulnerability to compromise LockBit’s public-facing servers and gain access to LockBit source code, internal chat, victims’ details, and stolen data.
“Although the LockBit group claims to have untouched backup servers, it is unclear whether they will be back online. Currently, LockBit associates are not able to login to LockBit services. In a Tox message, adversaries told their associates that they would publish a new leak site after the rebuild. Takedowns are short-lived if no one is arrested.
Andy Kays, CEO of Socura
“LockBit has long been a scourge to businesses, government agencies and security professionals the world over. It is arguably the most active ransomware group ever, whose attacks are both devastating and indiscriminate.
“LockBit’s takedown required the dedicated action of multiple countries and government agencies, which highlights the scale, importance, and complexity of the task. I expect that these agencies would have only acted when they knew with some certainty that they could hit them hard. However, the group still maintains that they have backup servers. At this stage, it’s always extremely difficult to know if a campaign like this will put a group out of action for good. This always depends on where the individuals are based, and if they are known to the authorities. We’ve seen time and time again, that the same individuals can re-emerge and re-group.
“We will know more at 11.30 according to the takedown site, which is an apt role reversal. Now it is LockBit whose future hangs in the balance as an online countdown clock ticks down to zero.
