The LockBit ransomware group’s servers were taken down by law enforcement on February 19, seen by many as a significant blow to the cybercrime group’s operations. But in less than a week, they were back, this time with stronger defences and threats aimed at government bodies.
The reality is, this comeback was to be expected – shutting down a hacker group’s website is one thing, but keeping them offline is another story altogether.
Inside LockBit
LockBit operates as a cybercrime group, specialising in ransomware attacks. They offer their ransomware on a ransomware-as-a-service (RaaS) basis, allowing other criminals to use their tools for a share of the proceeds. This model has broadened their impact, making them responsible for numerous high-profile attacks across various sectors, including healthcare and government.
Their website served multiple purposes:
- Listing victims of their ransomware attacks
- Publishing stolen data as part of their extortion strategy
- Acting as a platform for negotiating ransom payments
- Advertising their ransomware-as-a-service to potential affiliates
For a closer look at LockBit and their activities, our LockBit Threat Report has all the info you need. It covers their tactics and effects, featuring a dialogue between our Incident Response manager and LockBit threat actors during a ransom negotiation.
LockBit’s Quick Site Recovery – No Surprise to Us
So, how did we predict they would return so quickly? LockBit coming back online shortly after a takedown isn’t surprising. Simply put, these cybercrime groups are organised and efficient. They’re well-prepared, with strong backup strategies that make sure a temporary takedown doesn’t keep them offline for long.
Impact of Operation Cronos on LockBit
LockBit mentioned that law enforcement breached two key servers, stating, “For 5 years of swimming in money I became very lazy.”
Law enforcement seized the following:
- Key servers, including those for chats and blogs.
- Important items like databases and encryption tools.
- Over 1,000 decryption keys, though LockBit has more.
- More than 200 cryptocurrency accounts allegedly owned by LockBit.
Despite two arrests, three arrest warrants and five indictments have been issues by law enforcement globally, not every member of LockBit was caught. The group now says they’ve strengthened their web security to avoid getting taken down again. They’re planning a strong comeback, especially targeting government entities.
LockBit’s Resilience and the Ongoing Threat of Cybercrime
Organised cybercrime groups are currently at the strongest they’ve ever been in 10 years.
- LockBit leads as the world’s most active ransomware syndicate since 2019.
- The ransomware market is expected to exceed $18.6 billion by 2027.
- 74% of ransomware profits in 2021 were linked to Russian hackers.
- LockBit alone has targeted over 2,000 victims, demanding hundreds of millions in ransom and pocketing over $120 million.
LockBit’s quick return after being taken down by the authorities shows just how powerful and determined they are. Although some of their resources were seized, it’s clear they still have plenty left. Without arresting all their members, LockBit will keep coming back, stronger each time.
What Needs to be Done for LockBit
While the takedown of LockBit’s servers and the seizure of their assets might have seemed like a big win against cybercrime, it’s important to understand that these actions were only temporary setbacks. Simply shutting down their website isn’t enough to stop them for good.
The truth is, to really put a stop to LockBit, tangible arrests are needed. Despite law enforcement’s efforts in seizing servers, encryption tools, and cryptocurrency accounts linked to LockBit, their impact has been limited. Only a few arrests have been made, and not all members of the group have been caught.
