LockBit Takedown & Pseudo-Reemergence Continue to Crystallize the Economic Impacts of Ransomware-as-a-Service

Introduction

Globally, governments are on the hunt for cybercriminals. It has been proven that international cooperation is vital to safeguard against these sophisticated cyber threats. The past thirty days have been illuminating for some, unsurprising for others, and climactic for all.

Events as We Know It

February 18, 2024

The U.S., the UK, and the EU announced they disrupted the prolific ransomware group, LockBit, in an unusually aggressive international law enforcement operation that turned the hackers’ own site against it.

Who is LockBit?

LockBit is a notorious ransomware gang with an extensive track record of over 2,000 attacks worldwide since January 2020, causing significant disruptions, data loss, and ransom payments exceeding $144 million.

“They are the Walmart of ransomware groups, they run it like a business – that’s what makes them different,” said Jon DiMaggio, chief security strategist at Analyst1, a U.S.-based cybersecurity firm. “They are arguably the biggest ransomware crew today.”

LockBit has attacked small to medium business enterprises, public entities, and government contractors. In November last year, LockBit published internal data from Boeing, one of the world’s largest defense and space contractors, attacked the U.S. arm of the International and
Commercial Bank of China disrupting trades in the U.S. Treasury market, and a mere couple of days later reported that China’s biggest lender, the Industrial and Commercial Bank of China, paid a ransom after it was also hacked.

What Happened?

Bouncing back from an unsuccessful takeover of ALPHV ransomware gang, the FBI and global law enforcement partners were able to cause week-long, arguably more, disruption to LockBit.

February 20, 2024

Officials used the seized web page to taunt the hackers with forthcoming releases of data and a decryption tool for victims to decrypt their data for free. The U.S. also unveiled sanctions and indictments against two of the group’s key operatives in Ukraine.

As a result of the arrests, law enforcement were able to seize more than 200 cryptocurrency accounts and 34 servers used by the gang in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and Britain, Ukrainian police reported.

February 20, 2024

The U.S. State Department declared a substantial monetary reward being dubbed as the “LockBit Ransomware Bounty,” reaching up to $15 million, for valuable information leading to the identification and arrest of key figures within LockBit. This move comes in response to the group’s extensive track record of over 2,000 attacks worldwide since January 2020, causing significant disruptions, data loss, and ransom payments exceeding $144 million.

February 26, 2024

LockBit reported through a lengthy manifesto online that it was back in action with other servers and backup blogs. Surprisingly, the new LockBit dark web site showed a gallery of company names, each attached to a countdown clock marking the deadline within which that company was required to pay ransom.

Previously, LockBit would tout that upon payment towards its ransomware-as-a-service (RaaS) model, stolen company data would be deleted. After the takedown, it became evident that the gang did not honor its promises. However, the damage done to the gang by law enforcement was left to speculation and time.

One of the websites on the list of forthcoming victim ransom deadlines was that for Fulton County, Georgia. Among that data, LockBit claimed, was information about former president Donald Trump’s ongoing court cases in the county and information that could affect the 2024 presidential election. However, the February 29th deadline for Fulton County to pay the ransom came and went without any data being published. LockBit then claimed that Fulton County paid the ransom; however, Fulton County denied paying anything whatsoever.

Conclusion

Many are speculating the reasons for LockBit’s false narratives but these events boil down to the ever-present issue of cybersecurity and the need for stronger protections globally. These events have also sparked a fresh call for a ban on ransomware payments to perpetrators.

“Ransomware is by far the most damaging cyber threat to most businesses right now. We have to find a way of making a ransom payment ban work,” said Ciaran Martin, founding CEO of the UK’s National Cyber Security Center (NCSC). There is certainly a reemergence of thought in the cybersecurity industry that a federal ban on ransom payments is the only way to disrupt the crime in the long term, despite the challenges that would come with such a move.

Many compare these efforts to the 1991 law enacted by the Italian government to curb ransom payments to high-profile kidnappers – a seemingly boundless crime at the time. Some states have already passed limited ransomware bans such as Florida and North Carolina, which prohibit local government entities and state agencies from paying ransom demands.

Critics urge governments against bans arguing that such bans would leave many businesses unable to recover their systems, especially in circumstances where the only option has been to pay. Yet ban proponents such as Ciaran Martin provide solutions to such arguments by strongly imploring governments to collaborate on establishing a framework to support attacked organizations without available resources to recover. Other efforts being discussed relate to changing the strategy of attack from targeted group or branch disruptions to offensive attacks to ransomware gang finances.

We continue to follow the trends and what evolves beyond the Counter Ransomware Initiative, which includes nearly 50 member countries vowing not to pay ransoms. Until then, it is clear RaaS is not going anywhere anytime soon unless something substantial occurs.

---

At the time of writing this blog, ALPHV/BlackCat claimed responsibility for the Change Healthcare cybersecurity attack and Change Healthcare’s parent company, United Health Group confirmed.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.