Certified Security Operations Center GmbH

22. February 2024

LockBit ransomware group dismantled: What does this mean for cybersecurity?

There is cause for celebration: the LockBit group, one of the most notorious cybercriminal organizations, has been checkmated. Today, we want to explain what this means for cybersecurity and why it is still important to remain vigilant and take proactive countermeasures. The LockBit group was first discovered in 2019 and has since carried out a series of attacks on businesses and organizations worldwide. LockBit was distinguished by its professionalism and ability to adapt to companies’ security measures. The LockBit group was known for constantly evolving and adapting its attack methods to stay ahead of corporate security measures. They often used advanced encryption algorithms and had a sophisticated approach to ensure that their ransomware could spread within their victims’ networks and cause as much damage as possible.

A concerning aspect of the LockBit group was its tendency to target large companies and organizations, especially those with financial resources and sensitive data. By encrypting critical files and systems, they could cause significant financial losses and operational disruptions. Furthermore, the threat of publishing stolen data also had a significant impact on the reputation and credibility of their victims.

What is already known:

In a landmark operation, authorities have successfully dismantled the feared LockBit ransomware group. Responsible for numerous cyberattacks worldwide, the group was targeted by the National Crime Agency (NCA). Collaborating with international partners, the NCA disrupted the group’s infrastructure and financial flows, leading to the arrest of several suspects.

A spokesperson from the National Crime Agency (NCA) confirmed this groundbreaking news: “This is a significant blow against one of the most dangerous ransomware groups in the world. We have halted their operations, seized their revenues, and held their members accountable. This demonstrates that we will not allow cyber criminals to threaten our society and economy.”

In conjunction with our Cyber Threat Management, we have already gained extensive experience with LockBit ransomware among our clients. Our proactive monitoring enabled us to detect threats early and implement effective countermeasures. Our mission is to continuously monitor and understand groups like LockBit, leveraging their dynamic behavior against them to provide optimal protection for our clients. As part of threat hunting, we have now confirmed that all LockBit onion mirrors in the darknet have indeed been affected. This means the group no longer has access to their encrypted data and communication channels.

Significance for cybersecurity:

The dismantling of the LockBit group required a coordinated effort from businesses, governments, and cybersecurity experts worldwide. This is a major success for global cybersecurity, but unfortunately, dismantling the group does not mean we can relax and declare an “all clear.” It remains crucial to stay vigilant and take proactive measures because other cybercriminal organizations learn from the mistakes of others. Many more cybercriminals are still active, and other organizations threaten cybersecurity before we even realize it.

We strongly advise companies to continue strengthening their defense measures through the following actions:

  • Secure your data regularly offline and store it in a secure location.
  • Monitor remote connections regularly and restrict remote access to essential needs.
  • Implement phishing-resistant multi-factor authentication.
  • Regularly review and clean up all user accounts.
  • Segment your networks to prevent the spread of ransomware.

What affected companies can do:

Victims of a LockBit attack have the option to report to authorities and receive assistance with data recovery. Collaboration between the NCA and partners provides insights into LockBit infrastructures and activities. Affected companies can receive decryption assistance by providing information such as company name, attacked domain, ID from the LockBit ransom note, and time of attack.

Authorities advise the following:

  • Affected companies should promptly report to the authorities.
  • Provide authorities with company name, domain, LockBit ID, time of attack, and if possible, reference
  • number of the criminal complaint.
  • Enable authorities access to contact details (name, email, phone number).

Reference, among others: https://www.nomoreransom.org/en/decryption-tools.html