Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label AlphaV. Show all posts

Behind the LockBit Takedown: Strategies and Significance

 


It was widely hailed as a major victory for law enforcement to take down LockBit in the sprawling war against ransomware and was considered one of the most important victories for law enforcement. However, after law enforcement takes down ransomware groups, they usually reemerge, albeit with less power to continue their criminal activity. 

There was a back-and-forth tussle between law enforcement and the AlphV ransomware group in December when the group resurfaced on the dark web hours after being taken down by the police. As of today, AlphaV has been active for over ten years and lists new victims on its data leak site. 

Over the past decade, ransomware has become an increasingly prevalent problem worldwide, with modern ransomware gangs running complex businesses, and governments and private companies working together to stop these gangs have been working together for the past year. As a part of Operation Cronos, LockBit's infrastructure was used by the coordinating organizations involved with the operation to publish information about the gang's activities. 

There is no doubt that this activity against LockBit is an important victory, but ransomware continues to be a major threat, even from LockBit. To combat ransomware better, cybersecurity communities need to reflect on some lessons learned to improve the fight against ransomware. There have been instances where a victim has paid LockBit but has yet to receive the data that they promised was deleted from their servers, according to the UK's National Crime Agency (NCA). 

As a result of this, a victim trusts that the criminal will keep their end of the bargain after paying the ransom. This is one of the top risks associated with paying a ransom. The disclosure that LockBit failed to delete the data as promised severely tarnished its reputation. If a ransomware group appears trustworthy, its victims will not be willing to pay. 

Organizations need to be prepared for such eventualities and have plans in place in case of such an event. When a company's data is compromised, it needs to prioritize the creation of a thorough disaster recovery plan and procedure in case of data loss or damage, rather than relying on decryption for the sake of recovery. In response to a law enforcement takedown last week, which resulted in police seizing both LockBit's cyber extortion operations and its darknet site, as well as receiving significant intelligence, the criminals are attempting to relaunch their cyber extortion operation. 

The group's administrator, LockbitSupp, launched a new extortion site on Saturday that contains the names and contact information of five victim companies they are threatening to leak stolen documents. Even so, the site is no longer showing any of the old listings from before the law enforcement operation occurred.

Since its launch four years ago, this prolific ransomware-as-a-service outfit has hosted more than 2,000 documents that have been stolen from its victims. Last Monday, police posted a splash page to the dark web that said that they were in control, the most of any of the several extortion gangs operating on it. A week after LockBit's .onion website was hijacked by the U.K. National Crime Agency (NCA), the gang parodied LockBit's infrastructure in a series of posts about how the police had possessed “unprecedented technological access” to the company's infrastructure. 

To downplay the extent of the access, the ransomware service attempted to downplay it. The arrests of alleged affiliates as well as the shutting down of 14,000 accounts on third-party services have come as a result of the ransomware gang's failure to destroy the data of victims, even after it promised to. In an attempt to minimize the reputational damage caused by police action, a new LockBit post attempts to minimize the damage caused by the action. 

The criminals repeat what they claim in the beginning that police had compromised outdated PHP servers. To counter ransomware-as-a-service (RaaS), agencies will resort to a two-fold attack: first, to disrupt the administrative staff of the gang, and then to disrupt its affiliates. It is generally the task of the administrative staff to manage the data leak site, and the task of the affiliates to deploy the ransomware and encrypt networks is the task of the affiliates. 

There is a significant part of the administration staff that enables criminals, and without them being removed, there will be many more criminals assisting them. A disruption of the administration staff will result in the affiliates of the ransomware gangs working for other ransomware gangs. Infrastructure is used by affiliates themselves, either by purchasing it or by illegally accessing it. 

The tools, network connections, and behaviours of this infrastructure provide a considerable amount of information about this infrastructure. The ransom process exposes some details about the administrators: For the ransom process to proceed, the administrator must provide a method of communication and a method of payment for the ransom to be paid. 

The significance of these details may not seem useful to an organization immediately, but law enforcement and researchers will be able to leverage these details to uncover more about the individuals who committed these crimes. Using details from past incidents, law enforcement was able to disrupt LockBit's infrastructure as well as some affiliates of the group by using information from past incidents. 

Likely, Operation Cronos could not have been undertaken without that information, which was gathered with the assistance of attack victims and the allied agencies of the governmental organizations. The fact that an organization does not need to be a victim to help is an important thing to remember. Private organizations are eager to work with governments and are eager to collaborate with them. 

By partnering with CISA, the US government division that formed the Joint Cyber Defense Collaborative (JCDC) to create a global partnership platform to share critical and timely information to fight ransomware, organizations in the US can contribute to the effort to fight ransomware. Government agencies and public organizations can share information through the JCDC in a bidirectional manner. 

To stay on top of emerging trends as well as identify the infrastructure being used by attackers, CISA and organizations work together. There are several ways in which law enforcement can take advantage of collaboration and information sharing to gain a critical advantage against even the most powerful attacker groups, as the LockBit takedown demonstrated.