LockBit disruption has potential to shake up affiliate structure

A seizure of ransomware infrastructure by the FBI, the UK’s National Crime Agency (NCA), and international law enforcement partners may be enough to get at least some adversaries to update their resumes and try a new office.

Though ransomware group LockBit has shown signs of recovery after a multi-country disruption of its operations, threat researchers who spoke with IT Brew said the move is still likely to scatter some affiliates to other threat groups.

LockBit follows a ransomware-as-a-service (RaaS) model, which calls on affiliates to carry out attacks using the LockBit tools. The group has targeted more than 2,000 victims and received more than $120 million in ransom payments, a Department of Justice statement said, following an announcement of an international seizure of infrastructure by joint task force Operation Cronos.

“I think the biggest focus here [from law enforcement], from my perspective, is really taking the confidence out of the affiliate structure and hoping that that destabilizes ransomware as a whole,” Drew Schmitt, practice lead on the research and intelligence team at cybersec-services provider GuidePoint Security, told IT Brew.

Operation Cronos’s takeover of LockBit’s leak site—and taking of LockBit’s platform source code, decryption keys, and “a vast amount of intelligence from their systems about their activities,” according to an NCA announcement—may be enough for some affiliates to question who they’re affiliating with.

“There’s probably a perception issue that these guys aren’t the best, because they got taken over by the USG [US government],” Adam Meyers, SVP of counter adversary operations at cybersecurity company CrowdStrike, told us.

Life will still be complicated for LockBit’s associates, even those escaping arrest by staying in countries that lack US extradition agreements. “You’re pretty limited in what you’re going to be able to do if you’re named in a sanction. You’re not going on vacation to any extradition countries,” Schmitt said.

Nevertheless, LockBit has shown signs of resurfacing: BleepingComputer recently reported the appearance of new encryptors, as well as revived negotiation servers for new victims.

While CrowdStrike recently released a threat report noting a lower average ransom demand in 2023, the victims named on adversary sites increased by 76% from 2022, with 4,615 victim posts made to dedicated leak sites—a sign, perhaps that ransomware as a service, if not LockBit, is alive and well, according to Meyers.

“There’s lots of ransomware-as-a-service out there, so it’s not unreasonable to think that some of these affiliates will move off of LockBit and switch over to something that might have a better reputation,” he said.