.svg)
.svg)
On February 20th, 2024, The National Crime Agency (NCA) and nine other law enforcement agencies seized operations of the infamous ransomware group LockBit in a joint operation named "Operation Cronos" [1]. However, the law enforcement's victory appears to be short-lived and the LockBit leak site came back online after four days.
In this blog post, we explained why Operation Cronos failed to take down LockBit permanently and how organizations can defend themselves against LockBit attacks.
Operation Cronos: Taking Down LockBit Leak Site
LockBit has become the most notorious ransomware group in the ransomware scene, with 40% attribution of all ransomware attacks in 2023 H2 [2]. LockBit emerged in September 2019 and followed the recent ransomware trends such as Ransomware-as-a-Service (RaaS), double extortion, and Initial Access Brokers (IABs). The group uses data leak websites to publish sensitive or confidential data obtained from their victims during a ransomware attack. These leak sites serve as a means for the attackers to exert pressure on the victims to pay the ransom by threatening to release the compromised information to the public or to other malicious entities. LockBit also uses ransom negotiation sites and affiliate panels to communicate with its affiliate threat actors and victims.
On February 20th, 2024, law enforcement agencies seized LockBit's leak sites, negotiation sites, and affiliate panels in a joint operation known as Operation Cronos. The task force led by NCA took down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom. The seized infrastructure was used to host malicious tools and store data stolen for extortion. Law enforcement also retrieved decryption keys from seized LockBit infrastructure and released a free decryptor for LockBit 3.0 Black [3]. Operation Cronos revealed that LockBit had 188 affiliates over time and thousands of BTC unspent in seized crypto-wallets. While the operation was a major disruption for the ransomware group, the task force was not able to identify or arrest the threat actor running the LockBit operation, LockBitSupp.
LockBit Returns After 4 Days
On February 24th, 2024, LockBitSupp released a statement and restored the LockBit infrastructure. In the statement, the threat actor speculated that the LockBit servers were infiltrated by law enforcement via vulnerable PHP servers, and Operation Cronos was limited to servers using PHP, meaning that backup servers without PHP were not affected. LockBitSupp confirmed that law enforcement was able to obtain a database, locker stubs, and 1000 decryptors out of 20000 stored on the seized server.
The threat actor also confirmed the source code of the web panel was seized by law enforcement, and, in response, they divided the panel into many servers unique for verified partners for greater decentralization.
Lessons Learned from Operation Cronos for Organizations and Individuals
Although it made quite an impact on the ransomware scene, the LockBit operations were expected to return since the threat actors behind the operation are still at large. However, we can learn from Operation Cronos to improve our security posture against future ransomware attacks.
Keep Your Public-facing Applications Up-to-date
In Operation Cronos, law enforcement was able to take down LockBit's infrastructure, presumably using the PHP CVE-2023-3824 Remote Code Execution vulnerability. At the time of operation, this vulnerability was known to the public for more than six months and led to major disruption for LockBit operations. While it was a win for the good guys, there is also a lesson learned for organizations and individuals. The importance of keeping public-facing applications up-to-date cannot be understated.
Updating applications ensures that known vulnerabilities are patched promptly. Software vulnerabilities are regularly discovered by security researchers or malicious actors, and software developers release updates or patches to address these vulnerabilities. Failing to apply these updates leaves applications susceptible to exploitation by cybercriminals, who can exploit these vulnerabilities to gain unauthorized access, steal sensitive data, or disrupt operations.
Mitigate Security Gaps Before Ransomware Threat Actors
Ransomware can pose a significant cyber risk for organizations and individuals. However, it is very much preventable with a robust security posture. Security professionals are advised to run regular security assessments and learn about the security gaps in their posture. Armed with the visibility provided by these assessments, organizations should prioritize and mitigate identified security gaps before ransomware threat actors exploit them.
Note that sophisticated ransomware attackers quickly incorporate critical severity and newly discovered vulnerabilities into their attack campaigns. Therefore, security teams should mitigate their security gaps without delay for a more resilient security posture against ransomware.
Validate Security Controls Against Ransomware
Ransomware groups are financially motivated and highly skilled cybercriminals, and ransomware attacks are still viable as a business model for these criminals. Even if LockBit operations are completely taken down, there are still many ransomware threat actors with comparable sophistication to LockBit, such as ALPHV, CL0P, and Rhysida.
Since September 2022, CISA has advised organizations to adopt automated security control validation in their cybersecurity advisories to protect against ransomware threat actors [4]. Organizations should continuously validate their security controls against threat behavior mapped to the MITRE ATT&CK framework.
The recommended methodology is as follows:
-
Select an ATT&CK technique
-
Align your security technologies against the technique
-
Test your technologies against the technique
-
Analyze your detection and prevention technologies' performance
-
Repeat the process for all security technologies
-
Tune your security program
-
Repeat the whole process for other ATT&CK techniques
For more detailed information, please visit our blog post "How to Validate Your Security Controls Against APT Actors at Scale".
How Picus Helps Simulate LockBit Ransomware Attacks?
We also strongly suggest simulating LockBit ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as AvosLocker, CL0P, and ALPHV, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for LockBit ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
74169 |
LockBit Green Ransomware Download Threat |
Network Infiltration |
|
43227 |
LockBit Green Ransomware Email Threat |
Email Infiltration (Phishing) |
|
76668 |
LockBit 3.0 Malware Downloader Download Threat |
Network Infiltration |
|
30789 |
LockBit 3.0 Malware Downloader Email Threat |
Email Infiltration (Phishing) |
|
24168 |
LockBit 3.0 Ransomware Download Threat |
Network Infiltration |
|
71275 |
LockBit 3.0 Ransomware Email Threat |
Email Infiltration (Phishing) |
|
42142 |
LockBit 2.0 Ransomware Email Threat |
Email Infiltration (Phishing) |
|
56526 |
LockBit 2.0 Ransomware Download Threat |
Network Infiltration |
|
59891 |
LockBit Ransomware Email Threat |
Email Infiltration (Phishing) |
|
55537 |
LockBit Ransomware Download Threat |
Network Infiltration |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address LockBit ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for LockBit ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
85259031 |
Malicious Binary.TC.a9a1gtaF |
|
Check Point NGFW |
0DF8EAD47 |
Ransomware.Win32.LockBit.TC.4595IgpB |
|
Check Point NGFW |
0B9B5200F |
Ransomware.Win32.LockBit.TC.ad |
|
Check Point NGFW |
0A9203C66 |
Trojan-Ransom.Win32.Encoder.ndg.TC.468eHzih |
|
Check Point NGFW |
0E8314685 |
Trojan.Win32.Generic.Win32.Generic.TC.fac8lKAS |
|
Check Point NGFW |
0974D1461 |
Ransomware.Win32.LockBit.TC.ac72xYUR |
|
Check Point NGFW |
08A63F7F6 |
UDS:Trojan-Ransom.Win32.Generic.TC.ddcbnxCE |
|
Check Point NGFW |
0F78C125A |
Trojan.Win32.Generic.Win32.Generic.TC.53caLqjh |
|
Check Point NGFW |
0D3183045 |
Trojan-Ransom.Win32.Encoder.ndj.TC.9769PdQO |
|
Check Point NGFW |
0A62659F4 |
Trojan-Ransom.Win32.Encoder.ney.TC.2f27eHNJ |
|
Check Point NGFW |
088F2DF9C |
Trojan-Ransom.Win32.Encoder.nfh.TC.0f7dmjJv |
|
Check Point NGFW |
0E3B25556 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.2e8dsGuZ |
|
Check Point NGFW |
0D83B7962 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.fbefAOYh |
|
Check Point NGFW |
0B44AC79B |
Trojan.Win32.Ransomware.Win32.LockBit.TC.d0f1pgCM |
|
Check Point NGFW |
0B2A953A5 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.23a4LuVq |
|
Check Point NGFW |
0B4088178 |
Trojan.Win32.Ransomware.Win32.LockBit.TC.1619pCUl |
|
Check Point NGFW |
0E9ACE64D |
Ransomware.Win32.LockBit Green.TC.3813mKCF |
|
Check Point NGFW |
0EE101D4F |
Ransomware.Win32.LockBit Green.TC.55ddsbul |
|
Check Point NGFW |
85259031 |
Trojan.Win32.Generic.TC.a9a1baBd |
|
Cisco FirePower |
W32.Auto:baafd4.in03.Talos |
|
|
Cisco FirePower |
W32.80E8DEFA53-95.SBX.TG |
|
|
Cisco FirePower |
1.58024.1 |
MALWARE-OTHER Win.Ransomware.Lockbit download attempt |
|
Cisco FirePower |
1.54910.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
|
Cisco FirePower |
1.54911.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
|
Cisco FirePower |
Win.Ransomware.Lockbit::in03.talos |
|
|
Cisco FirePower |
1.41640.2 |
FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt |
|
Cisco FirePower |
W32.Auto:45c317.in03.Talos |
|
|
Cisco FirePower |
Auto.FB49B9.261467.in02 |
|
|
Forcepoint NGFW |
File_Malware-Blocked |
|
|
Fortigate AV |
10113116 |
VBA/Agent.F230!tr |
|
Fortigate AV |
10079067 |
NSIS/Injector.AOW!tr |
|
Fortigate AV |
10123717 |
W32/Lockbit.K!tr.ransom |
|
Fortigate AV |
10042007 |
W32/Lockbit.C2F8!tr.ransom |
|
Fortigate AV |
10093469 |
W32/LockBit.2513!tr.ransom |
|
Fortigate AV |
8138651 |
W32/Filecoder.NXQ!tr.ransom |
|
Fortigate AV |
10089996 |
MSIL/GenKryptik.EBMY!tr.ransom |
|
Fortigate AV |
8183406 |
W32/LockBit.29EA!tr.ransom |
|
Fortigate AV |
10133780 |
OSX/Filecoder_Lockbit.A!tr |
|
Fortigate AV |
62183 |
PossibleThreat |
|
Fortigate AV |
8273597 |
W32/Conti.F!tr.ransom |
|
Fortigate AV |
10085361 |
W64/GenKryptik.FSFZ!tr.ransom |
|
Trellix |
0x40232600 |
HTTP: Microsoft Word DOCX Macro Vulnerability |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto NGFW |
543891824 |
trojan/Win32.nemesis.hz |
|
Palo Alto NGFW |
514958735 |
Trojan-Ransom/Win32.encoder.xj |
|
Palo Alto NGFW |
419491650 |
trojan/Win32 EXE.encoder.ua |
|
Palo Alto NGFW |
527143790 |
trojan/Win32 EXE.malware.bdkw |
|
Palo Alto NGFW |
344149788 |
trojan/Win32 EXE.filecoder.adu |
|
Palo Alto NGFW |
334282092 |
Malware/Win32.msilinj.dsw |
|
Palo Alto NGFW |
333569703 |
Malware/Win32.msilinj.dsj |
|
Palo Alto NGFW |
343726995 |
Trojan-Ransom/Win32.wanna.xn |
|
Palo Alto NGFW |
332681025 |
ransomware/Win32 EXE.wanna.xj |
|
Palo Alto NGFW |
550537151 |
trojan/Win32.eldorado.buu |
|
Palo Alto NGFW |
580983918 |
ransomware/OSX.lockbit.qg |
|
Palo Alto NGFW |
582737022 |
Ransom/MacOS.lockbit.qw |
|
Palo Alto NGFW |
571147349 |
Ransom/Win32.conti.cb |
|
Palo Alto NGFW |
573007961 |
TrojanDownloader/Win64.bazaarloader.b |
|
Snort |
1.2019835.2 |
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project |
|
Snort |
1.58024.1 |
MALWARE-OTHER Win.Ransomware.Lockbit download attempt |
|
Snort |
1.54910.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
|
Snort |
1.54911.1 |
MALWARE-OTHER Win.Ransomware.LockBit ransomware download attempt |
|
Snort |
1.41640.2 |
FILE-EXECUTABLE QuickHeal Internet Security malformed Mach-O file buffer overflow attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Validation Platform.
References
[1] cms-user, "International investigation disrupts the world's most harmful cyber crime group." Available: https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group. [Accessed: Feb. 27, 2024]
[2] A. Ho, "Ransomware and software vulnerabilities created the most havoc in H2 2023," Acronis, Feb. 07, 2024. Available: https://www.acronis.com/en-us/blog/posts/ransomware-and-software-vulnerabilities-created-the-most-havoc-in-h2-2023/. [Accessed: Feb. 27, 2024]
[3] "Law enforcement disrupt world's biggest ransomware operation," Europol. Available: https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation. [Accessed: Feb. 27, 2024]
[4] "#StopRansomware: ALPHV Blackcat," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a. [Accessed: Feb. 27, 2024]
