A Global LockBit Takedown | A Guide for CISOs
This is a developing story with huge consequences for the global cybersecurity community. Our CISO, Todd Carroll, shares his thoughts on this significant takedown.
In the last 24 hours, a significant international law enforcement effort led by the National Crime Agency (NCA) in collaboration with the Federal Bureau of Investigation (FBI) and agencies from nine other countries has successfully disrupted the operations of the LockBit cybercrime group. LockBit, known for its malicious ransomware software that steals and encrypts victims’ data, has been one of the most harmful global criminal entities over the past year.
Industries most affected by LockBit’s activities include construction, manufacturing, education, and logistics.
Operation Cronos: Explained
As part of Operation Cronos, global law enforcement teams collaborated to infiltrate LockBit’s network, gaining control of its primary administration environment as well as the dark web leak site. They also seized the group’s source code and obtained vast amounts of intelligence on their activities and affiliates.
The operation resulted in the seizure of 28 servers belonging to LockBit affiliates across three countries, the confiscation of over 200 cryptocurrency accounts, and the apprehension of two LockBit actors in Poland and Ukraine. Additionally, over 1,000 decryption keys were obtained, providing global assistance in recovering encrypted data for victims.
Fighting back against ransomware
This takedown is remarkable for the level of international cooperation involved and its significant impact on the LockBit operation, which held a considerable share of the ransomware market. Since June 2023, LockBit has been responsible for almost three times the number of attacks compared to the combined total of the next three active cybercrime groups.
While we should be pleased with these actions and the disruption of LockBit, it is crucial to remain vigilant as past actions of this nature have resulted in the formation of splinter groups. Many companies still have their data encrypted and potentially exposed.
Therefore, it is imperative to continue scaling up efforts to disrupt these groups swiftly in 2024, imposing meaningful punishments that will deter future attempts at ransomware attacks.
Interested in more ransomware threat insights?
Deep dive into more ransomware analysis in our new annual report, CybelAngel 2024 State of the External Attack Surface Report, also authored by Todd Carroll.
This report is filled with impactful metrics and insights that reveal the latest challenges in the EASM landscape.
Access the report here.