Who are LockBit?

A threat actor known by the alias LockBitSupp emerged on Russian hacking forums xss.is and Tox in early 2020 offering a malicious program known as ABCD which later evolved into a ransomware-as-a-service (RaaS) model, the intention was to recruit affiliates to have them deploy his malware for their purposes while he requested a 20% cut of the ransom paid. Through the use of a model like this it meant LockBit would essentially never have to get his own hands dirty as he himself would not be behind any of the attacks but be a mere facilitator by providing the service.  

The cut LockBit asked for was an appealing deal to users of the site due to it being a much cheaper model than what was already on offer. Famous cyber crime groups REvil and … now had competition in the form of LockBit. LockBit also claimed to have a moral compass unlike the other RaaS hacking groups which made his services much more appealing to criminals that did not want to target organisations responsible for vulnerable groups of people such like children, the sick and the elderly. 

The LockBit malware went through subsequent updates to be what is in circulation today which is LockBit 4.0, arguably the versions past LockBit 2.0 are mere shadows of its former iterations. 

The LockBit malware is still in circulation today despite the head of the organisation being exposed during Operation Chronos. The head of LockBit currently operates with impunity because he has not targeted any organisations on Russian soil, he still lives in Russia to this day and has not yet been arrested due to issues with international legislation regarding cyber crime and may never be unless he decides to flee Russia or speak ill of the Russian government which may lead to him being handed over to USA or UK law enforcement agencies.  

The operation he ran is a shadow of its former iteration due to Operation Chronos and a variety of scandals involving stealing code from competitors and going against his so-called code of conduct by carrying out attacks on children’s hospitals.  

What Happened?

January 2023 Royal Mail were subject to a cyber-attack that used the LockBit malware. LockBitSupp claimed it was an attack aimed at discrediting the LockBit group via the use of their malware, however Royal Mail were being directed to the official LockBit ransom leak site. The threat actors behind the attack were demanding Royal Mail pay an initial ransom of 80 million pounds to have the files decrypted and to avoid any sensitive data being leaked. The Royal Mail negotiator managed to stall LockBit resulting in files being leaked on 9th February, the files that were leaked from Royal Mail.  

Damage and Implications

Regarding the Royal Mail incident involving Lockbit the attack had immediate and severe consequences for Royal Mail’s operations. International shipping services were significantly disrupted, with the company unable to dispatch parcels and letters to overseas destinations, customers were advised not to attempt to send packages abroad during the time of the attack. This operational standstill persisted for several weeks, affecting businesses and individuals reliant on Royal Mail’s services. Financially, Royal Mail incurred approximately £10 million in remediation costs associated with addressing the attack’s aftermath. Additionally, the attackers initially demanded a ransom of £65.7 million to decrypt the compromised data and prevent its public release. Despite negotiations, Royal Mail did not comply with the ransom demands, leading LockBit to leak 44GB of stolen data, which included sensitive information such as contracts with third-party suppliers and staff records. 

Vulnerabilities LockBit Exploited

The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. LockBit affiliates have used several vulnerabilities since the service emerged to gain access to systems and cause significant disruption and damages.  

CVE-2023-4966  

LockBit 3.0 affiliates leveraged the “Citrix Bleed” vulnerability (CVE-2023-4966) to compromise over 10,000 servers worldwide, including high-profile targets like Boeing and the Industrial and Commercial Bank of China 

Additionally, the Confluence Server vulnerability (5) was exploited by LockBit affiliates to deploy ransomware 

CVE-2023-22527 

CVE-2023-22527 is a critical vulnerability exploited by LockBit affiliates used to deploy ransomware. Atlassian Confluence Server versions prior to the patched release contained flaws, insufficient input validation in the template rendering engine, allowed attackers to inject malicious OGNL (Object Graph Navigation Language) expressions. Successful exploitation grants attackers the ability to execute arbitrary code with the same privileges as the Confluence service, potentially leading to full system compromise. The severity of this vulnerability is underscored by its CVSS score of 10.0, indicating maximum impact in terms of confidentiality, integrity, and availability. (thedfirreport.com) 

CVE-2023-22515  is a critical vulnerability that Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorised Confluence administrator accounts and access Confluence instances. This vulnerability has a CVSS score of 10.0 which indicates a maximum impact in terms of confidentiality, integrity, and availability.  

The Fall of LockBit: Operation Cronos

An operation to uncover the head of LockBit was launched by collaborating government agencies under the name Operation Cronos. While this was happening an expert in cyber espionage called John DiMaggio had managed to infiltrate the hacking circles LockBitSupp was known to frequent. John managed to become friends with LockBitSupp which allowed him to begin to understand how he felt about his competitors and how the organisation works. In February 2024 the National Crime Agency managed to infiltrate and seize control of LockBit and the services it offers including the leak site hosted on the dark web which compromised the organisation.  

The impact of LockBit was previously unknown until the data from their systems were seized by the NCA, LockBit facilitated more than 7000 attacks via their MaaS platform. Attacks targeted hospitals and healthcare companies, NCA also report that over 2100 victims were forced into negotiating with criminals.  

The Operation Cronos investigation was responsible for uncovering the real-world identity of LockBitSupp, and gave the NCA and partners a deep insight into LockBit’s operations and network.

Of the 194 affiliates identified as using LockBit’s services up until February 2024:

• 148 built attacks.
• 119 engaged in negotiations with victims, meaning they definitely deployed attacks.
• Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.
• 75 did not engage in any negotiation, so also appear not to have received any ransom payments.

 Up to 114 affiliates paid thousands to join the LockBit programme and caused unknown levels of damage, some affiliates did not make any money from the use of LockBit’s service but will be targeted by law enforcement. Affiliate numbers and the use of LockBit has significantly reduced since LockBitSupp’s identity was revealed.

Mitigation & Defence

It is always safe to say that it is never a good idea to pay threat actors ransom money regardless of the situation. Negotiating with cyber criminals in situations like these can never guarantee that sensitive data will not be leaked and that the compromised systems will be restored to their former working state.  For instance, in the Petya, NotPetya and WannaCry ransomware attacks ransom was paid to the groups behind the attacks but in the case of WannaCry and Petya the systems were not restored, resulting in significant data loss due to incompetence on the threat actors behalf. Whereas the data was completely destroyed in the NotPetya attack because the actors behind those attacks had no intention of restoring the data in the first place.  

• Regular Patching and Updates: Ensure that all software, especially internet-facing applications, are up to date with the latest security patches. Regularly review and apply patches for known vulnerabilities to reduce the attack surface. 
• Network Segmentation: Dividing the network into segments to prevent the spread of infection and minimise damage caused by attackers. Critical systems should be isolated, and access between segments should be strictly controlled and monitored, therefore making it harder for malware with worm like capabilities to spread to systems that hold sensitive data. 
• Zero Trust Architecture:
• Multi-Factor Authentication (MFA): Implementation of MFA for all remote access points and sensitive systems to add an extra layer of security to reduce the risk of unauthorised access even if user credentials are compromised. 
• Regular Backups: Maintain regular, offline backups of critical data. Ensure that backup processes are secure and that restoration procedures are tested periodically to guarantee data recovery in the event of an attack. Having a separate (preferably air-gapped) network to store backed up data should also be considered to prevent ransomware from being able to infiltrate what I would consider the last line of defence.  
• User Education and Training: Conduct regular cyber security awareness training for employees to recognise phishing attempts and understand the importance of security best practices, thereby reducing the likelihood of successful social engineering attacks. 
• Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor and analyse endpoint activities in real-time, enabling the rapid detection and response to suspicious behaviours indicative of ransomware attacks. 
• Incident Response Planning: Develop and regularly update an incident response plan that outlines specific procedures for various attack scenarios, ensuring a swift and coordinated response to minimise damage during a cyber security incident.