LockBit, a notorious ransomware group known for its sophisticated attacks and ransomware-as-a-service model, recently faced significant blows due to law enforcement actions. LockBit was considered the largest ransomware group in terms of impact globally, responsible for 25% of ransomware attacks in the last year (2023-2024).* The NCA and FBI made arrests last month, but what does this mean for the future of the group?
The History of LockBit
LockBit, emerging prominently in the ransomware scene around 2019, quickly gained notoriety for its aggressive and sophisticated attacks on organisations worldwide. Led by its ransomware-as-a-service (RaaS) model, LockBit operates by recruiting affiliates to deploy its ransomware, offering a share of the ransom payments in return.
Over time, LockBit evolved, releasing updated versions of its ransomware to evade detection and increase effectiveness, such as LockBit 2.0 and later iterations. This continuous innovation has made LockBit one of the most persistent and dangerous cyber threats faced by organisations around the globe.
The Impact
Although a significant step forward, and a huge success within the cybercrime landscape, arresting members of the group and temporarily dismantling their operations will certainly impact the group’s ability to operate, but will not stop them entirely. In fact, we have already seen reports of the group reforming just days after the takedown.
The operation has been ongoing for years, and this success will have taken an incredible amount of work from the teams involved, as well as patience for the group to make a mistake. The official announcement was that a vulnerability was exploited to take down the group, but our team also reported that an admin of the group had been removed from several leading forums - which could indicate that there’s more to the story.
To Pay or Not To Pay?
The discovery of data belonging to organisations that paid ransoms on LockBit's systems highlights a grim reality: paying a ransom does not guarantee the safety or deletion of stolen data. Although businesses may act out of fear, any ransom payments made will in turn generate more revenue for groups, helping them to develop their tools and infrastructure even further. Huge ransom payments were undeniably a contributing factor to LockBit's growth.
Protection for Businesses
Ransomware attacks remain a high cyber threat for businesses globally. Here are some things businesses should keep in mind to help mitigate cyber risk and prevent cyber attacks.
1. Keep software and operating systems up to date to avoid using outdated software that could be vulnerable.
2. Regularly scan for vulnerabilities and apply patches or fixes immediately.
3. Ensure multi-factor authentication is set up across all applications.
4. Implement the use of anti-virus software, firewalls, and anti-malware software.
5. Train employees on cybersecurity practices, especially the importance of strong passwords and phishing awareness.
6. Restrict access to networks and systems as much as possible using VPNs and IP block / allow lists.
7. Monitor employee access regularly to understand who has access to what systems.
8. Monitor access within systems to identify any suspicious activity (such as out-of-hours login attempts or unknown usernames).
9. Perform regular backups.
10. Regularly monitor the Dark Web and other parts of the Internet for hacker communications to see if they are talking about the company
Stay tuned as we follow the story. For more information on how our cyber risk intelligence or cyber risk solutions can help protect you, your business or your customers, get in touch: info@dynarisk.com
*https://www.nationalcrimeagency.gov.uk/the-nca-announces-the-disruption-of-lockbit-with-operation-cronos