Russia’s LockBit Disrupted But Not Dead, Hacking Experts Warn

Two arrests. Twenty-eight servers seized. And 1,000 decryption keys obtained that can help hacking victims worldwide get their data back.

The takedown announced Tuesday of the Russia-linked hacking gang LockBit, which by some estimates has been responsible for a quarter of all ransomware attacks, represents what law enforcement agencies in the UK, US and Europe described as one of the heaviest blows they’ve ever dealt against criminal hackers. It comes after a relentless surge of major attacks in recent months by LockBit and other groups, who have created a global scourge by extorting victims by locking up their computer systems with encryption software and stealing their sensitive data.

But the episode also highlights what those same authorities acknowledge is the never-ending nature of the fight against cybercrime. Even after hacking groups such as LockBit are dealt a devastating blow, they often quickly regroup and begin attacking again.

“We have not arrested everyone related to LockBit — this is a long-term process,” Graeme Biggar, director general of the UK’s National Crime Agency, said at a press conference in London. “What all of them know now is that we’re on to them, and they’ll be forever looking over their shoulders.”

The actions announced Tuesday include the arrest of two alleged LockBit members in Poland and Ukraine; the indictment in the US of two other alleged members, though they are located in Russia and unlikely to face extradition; the seizure of 28 servers and some 200 cryptocurrency accounts associated with the gang; and, most significantly for LockBit’s thousands of victims, the recovery of decryption keys which can now be used to unlock hijacked data.

Many cybersecurity experts praised the multinational efforts as expansive and aggressive, and an effort likely to deal a significant setback to a group that has become synonymous with the most disruptive and costly cyberattacks of recent years. However, some also warned that recent history of similar takedowns shows it’s not long before hackers are back on their feet.

“The Lockbit website disruption and takedown is likely one of the most significant cyber operations undertaken by law enforcement ever,” said Ed Dubrovsky, chief operating officer for Cypfer, a ransomware response and negotiations firm in Toronto, citing the arrests, the amount of data seized by law enforcement and the planned use of the decryption tools.

Still, he cautioned that the ultimate impact on the organization and its leadership was uncertain: “The ability to disrupt LockBit’s dominance on the threat landscape must include both financial and personnel disruption and the ability to help current victims who are left in somewhat of a limbo state.”

Other ransomware gangs – such as Hive and Conti – have faced similar law enforcement action in recent years. But the group’s members are said by cybersecurity researchers to have simply rebranded and reformed under other names, then continued carrying out their attacks. In the aftermath of the latest crackdown on LockBit, the group’s spokesman has already declared that the gang will rebuild its servers and has boasted that not all of the gang’s websites have been taken down by the authorities, according to messages reviewed by Bloomberg News.

The reasons hackers return to cybercrime are simple: ransomware is profitable and the chances of arrest are relatively slim. Many of those involved in hacking gangs live in Russia or other jurisdictions outside of the arm of Western law enforcement.

“Prior efforts to disrupt actors by law enforcement appear to have done little overall to stem persistence and growth of cyber extortion,” said Charl van der Walt, head of cybersecurity research for Orange Cyberdefense, the cybersecurity division of French telecom Orange SA, which provided data showing that immediately after arrests, takedowns and other actions against such groups in recent years, the number of attacks and publicly disclosed victims actually goes up. “After each of these reported law enforcement interventions, there was still a significant increase in the number of victims revealed on leak sites within the three months after the intervention.”

One of the hallmarks of LockBit’s operations has been its massively successful franchise business model, where it licensed its hacking tools to third parties — known as affiliates — who carried out attacks and shared a portion of the profits from the extortion. That network of affiliates is very wide, so a full disruption of the group is unlikely, said Gene Yoo, chief executive officer of Los Angeles, California-based cybersecurity firm Resecurity Inc.

“It is a huge community of actors monetizing access via ransomware,” he said. “It is only a matter of time for them to regroup.”

Since it was formed in 2020, LockBit has risen to be the world’s most prolific ransomware gang. The group gained notoriety after waging disruptive attacks on high profile companies, including the Industrial & Commercial Bank of China Ltd, the UK’s Royal Mail, the financial software firm ION Trading UK and Boeing Co. It has carried out more than 1,700 attacks in total and extorted $91 million from its victims, according to the US Cybersecurity and Infrastructure Security Agency.

The gang is known to steal internal data and encrypt its victims’ computers, making them unusable. It then demands payment in exchange for unlocking the computers and not publishing the stolen data. LockBit’s Russian-speaking leaders tap into a network of affiliate hackers who carry out attacks using LockBit’s malicious software and infrastructure. They then split the proceeds of any money obtained through the extortion.

“In a highly competitive and cutthroat marketplace, LockBit rose to become the most prolific and dominant ransomware operator,” said Don Smith, vice president of threat research for Atlanta, Georgia-based cybersecurity firm SecureWorks Corp., who provided data showing that LockBit owned about 25% of the global ransomware market at the time of the takedown, based on the number of victims identified on its data-leak site. “It approached ransomware as a global business opportunity and aligned its operations, accordingly, scaling through affiliates at a rate that simply dwarfed other operations.”

The US Department of Justice had previously indicted three alleged hackers who were involved with LockBit. Mikhail Vasiliev – a dual Russian and Canadian citizen – was arrested in Canada in October 2022. That was followed in May 2023 by the indictment of Mikhail Matveev, an alleged Russia-based LockBit member. A third suspect, Ruslan Astamirov, a Russian national, was arrested in Arizona in June 2023, accused of working with LockBit to target companies in the US, Asia, Europe and Africa.

Despite the arrests, LockBit continued its prolific spree of attacks, adding new victims to its darkweb page on a near daily basis, underscoring the difficulty law enforcement has faced in disrupting the gang.

John Fokker, a former supervisor of a high-tech crime investigations team with the Netherlands National Police, said takedowns like the one against LockBit aren’t just about the immediate impacts such as the first arrests and the seizure of criminal websites. They also provide law enforcement with valuable data to continue their investigations into other members, which can be a powerful deterrent.

“What a lot of people tend to forget is that with ransomware it isn’t only the head of the snake but also the individual affiliates,” said Fokker, who is now head of threat intelligence for Milpitas, California-based cybersecurity firm Trellix Corp. “It is hard to arrest all of them, but creating an unsafe environment can be quite effective, too. Cybercrime flourishes when criminals feel safe to do business, however when this safety or trust is broken it will halt development and even the biggest empires will fall apart.”

Top photo: Computer code and text displayed on computer screens. Photographer: Bloomberg Creative Photos/Bloomberg Creative Collection.