An overview of the enforcement action against LockBit
On February 20, 2024, a coalition of international agencies led by the National Crime Agency (NCA) of the UK took enforcement action against LockBit, a ransomware as a service (RaaS) operator that manages and distributes ransomware of the same name. As part of Operation Cronos, the coalition seized eight darknet websites belonging to LockBit, and more crucially, the central administration environment, which included a panel from where affiliates staged their attacks. When this panel was live, it was where affiliates modified RaaS samples, managed victims, and even published blog posts. With the central administration environment in the hands of authorities, the ability of LockBit and its affiliates to launch attacks has effectively been dismantled.
The source code underlying this technology has provided a significant amount of intelligence to authorities pertaining to both its methods of operation and its individual perpetrators. Accordingly, two Lockbit operatives have already been apprehended in Poland and Ukraine, and the US has unsealed indictments for two Russian nationals in relation to LockBit attacks as well. Just as importantly, over 200 crypto addresses affiliated with the group have been frozen, hampering the group’s ability to move funds during this crackdown.
LockBit’s dark web leak site, which was once used to publish stolen data, will now serve as a clearinghouse for information about the criminal group’s illicit activities. As part of victim support, the NCA and partner agencies will provide 1000 decryption keys to victims around the world, so they can regain access to encrypted data.
The evolution of LockBit
The enforcement action against LockBit was significant because the ransomware was one of the most sophisticated available on the market. Lockbit first appeared in September 2019 as ABCD ransomware, so named after the .abcd extension appended to files. As an encryptor, LockBit prevents access to a person’s workstation and files through an AES key
generated using BCryptGenRandom with RSA encryption, then appends the eponymous .lockbit extension to each file. A random message will be displayed, and users must pay off the random in cryptocurrency to restore access to their files and resume business operations.
What was particularly devastating about LockBit was its pervasiveness. Unlike other ransomware groups, which deployed their own ransomware, LockBit was actually spread by affiliates. These affiliates subscribed to LockBit as part of the ransomware as a service model. The RaaS model lowered the barrier of technical expertise necessary to distribute ransomware, simplifying access for all types of criminal groups. As with traditional software, LockBit would provide technical support to the affiliates, so that they would be successful in using the ransomware. Like other RaaS operators, LockBit was monetized through monthly subscriptions and even profit sharing from successful attacks.
The affiliates also benefited from the technical evolution of LockBit, which has undergone official versioning over the years. In the second quarter of 2022, LockBit launched LockBit 2.0, which introduced StealBit, a data exfiltration tool that enabled affiliates to escalate their attacks. Instead of only disrupting business operations by encrypting data, LockBit 2.0 would also steal some of this data. This would be done quickly because the ransomware parallelizes the exfiltration of multiple files simultaneously. The affiliate would then threaten the victim to post the stolen data on a leak site or inform other stakeholders of the breach, such as customers or media. The goal would be to exert more pressure on the victim to pay the ransom.
LockBit 3.0 is similar to its predecessor but is equipped with even more protections. To execute the ransomware, affiliates must use a password, or cryptographic key, that decodes the LockBit 3.0 executable. Without this password, the code remains unexecutable and unreadable, obfuscating programs that use malware detection and any kind of analysis.
LockBit, in short, was not a new ransomware, but one iterated over several generations to maximize disruption to businesses, encrypt and exfiltrate data, and evade detection from businesses and authorities. Seizing control of LockBit’s affiliate panel is a significant blow to the intellectual property of the group. They lose the key innovation that enabled their rise to the top of the ransomware world, costing them not only unrealized revenue from attacks that they can no longer facilitate but significant wastes in development time and technical progress (they had a bug bounty program for LockBit 3.0!).
Stages of an attack
Because LockBit is a RaaS, there is a general pattern for how attacks work, but there is high variation within this process.
After acquiring LockBit, the affiliate will be provisioned access to the ransomware through the affiliate panel. The first part of the attack is the initial compromise, which may be done through a variety of attack vectors depending on the affiliate’s technical sophistication, including everything from spear phishing and malicious pop-ups to brute-forcing of company credentials.
Once an initial computer has been compromised, the affiliate will exercise patience in a bid to gain deeper access to an enterprise’s systems. For example, if an employee’s workstation has been compromised, the affiliate may attempt to obtain admin credentials. This strategy is known as lateral movement. When the affiliate is satisfied with their level of access, they can launch the attack and propagate LockBit across compromised computers, which will encrypt the data with RSA encryption at blazingly fast speeds (one test had LockBit encrypting 100,000 files in about 6 minutes). The data is then exfiltrated through StealBit. With the workstations locked, the ransomware message will appear, demanding payment in cryptocurrency to restore access to their workstations. The affiliate may also later post some of the stolen data on a leak site so that the victim is further pressured into paying.
Because the multi-stage attack process for LockBit involves publishing stolen data, many of which may be sensitive in nature, it is not only the enterprise that is harmed. All the stakeholders in their network - employees, customers, users, partners, vendors, and more - may be negatively impacted by the ransomware.
The ripple effect of the enforcement action by the coalition is thus much broader than most people realize: It does not protect only potential victims, but entire networks that have been disrupted by the plague of ransomware, preserving both business operations and data integrity. The impact of the NCA-led action will be long felt for that simple fact: It stopped ransomware at its very source, sparing businesses, individuals, and communities from the rigamarole of fighting, decrypting, and reporting a LockBit attack.
Breaking down the LockBit sanctions
In the wake of Operation Cronos, the US Department of Treasury Office of Foreign Assets Control (OFAC) has announced sanctions against Gennadievich Kondratiev and Artur Ravilevich Sungatov. These two LockBit affiliates have inflicted billions of dollars in damages through ransomware attacks, both through disrupted operations and successful ransoms. OFAC alleges that 10 crypto addresses controlled by Kondratiev and Sungatov have been used as wallets to receive and launder ransom payments.
Merkle Science has added these 10 wallet addresses to its list belonging to sanctioned entities. Merkle Science’s customizable multi-hop feature equips compliance officers to investigate whether addresses may have direct or indirect risks associated with sanctioned wallets. Using this technology, we analyzed the 10 wallet addresses and discovered these insights.
Merkle Science’s Analysis
During our analysis, we noticed a series of recurring interactions involving addresses associated with the sanctioned LockBit entity and darknet activities, engagements with high-risk organizations, prominent exchanges, swaps, and addresses linked to scams. These interactions have been observed across various blockchains and platforms, indicating a notable pattern of engagement between LockBit-sanctioned addresses and other entities.
Merkle Science's Blockchain Forensics Tool 'Tracker' visualizes interactions of sanctioned LockBit addresses
Merkle Science's Blockchain Forensics Tool 'Tracker' visualizes interactions of sanctioned LockBit addresses