LockBit has not (yet) been brought to its knees by an international police operation. How did the group return so quickly and can they be defeated for good?

LockBit is back after never being away. Almost a week ago, the British cybersecurity agency NCA declared victory over the notorious hacker group. With a brief announcement on the website as if it were an organization that has fallen victim to one of its own campaigns, LockBit is letting us know that it has no intention of stopping anytime soon.

In recent years, the name LockBit has been frequently mentioned in large-scale cybercrime campaigns against Western organizations, including in our country. The hackers, who are said to have ties to the Russian regime, have been very active since 2020 and have made enemies around the world. The list of victims includes big names like Boeing, but the group primarily caused a stir through attacks on (children’s) hospitals. How is it possible for the group to be operational again after a few days?

Snowball effect

LockBit’s quick return comes for Simen Van der Perre, Strategic advisor no surprise at Orange Cyberdefense. “Only two people were arrested in this operation and three international arrest warrants were issued. “The number of criminals arrested is small compared to the scale and magnitude at which LockBit has continually claimed victims over the past four years,” he said in a written response.

Also Derek Manky, Global VP for Threat Intel at FortinetHe’s not surprised. “Groups like LockBit can draw on years of experience. They know they can be disrupted, so they build a resilient infrastructure. Server failure is only one piece of the puzzle. LockBit is not a single person either: behind it is a decentralized network. This “snowball effect” makes it difficult to bring a group together as a whole: if a leader falls away, followers are ready.”

When a leader of a hacker group disappears, successors are ready.

Derek Manky, Fortinet

providers and customers

A group like LockBit does not operate in a vacuum. The group has become a major player in the ransomware-as-a-service economy. This means that LockBit also sells the ransomware it develops to other hacking groups as if it were a legitimate software company. “As compensation, they demand a share of the proceeds, often twenty to twenty-five percent.” LockBit became big in the criminal underworld because it had the best “offer,” says Van der Perre.

In order to be allowed to use their ransomware, the group establishes a series of rules, which are detailed in this Fortinet blog. “Customers” are allowed to steal company data from critical infrastructure, but not encrypt it, and attacks on Russia and some post-Soviet countries are also not permitted. Everything else is allowed: non-profit organizations, children’s hospitals, etc. Attacks on non-Russian governments and police forces are even encouraged.

“Ransomware has become a very lucrative business. Hackers are becoming increasingly selective about who they sell their software to: they use a “user manual,” so to speak. Mutual trust, to the extent that it can exist between criminal organizations, is becoming increasingly important in the environment,” explains Manky.

The attack on LockBit could certainly damage its reputation in the cybercrime environment. Manky: “That also explains why the company is now communicating openly about the company: it has to prove to its network again that it is a ‘reliable supplier’.” If that doesn’t work, other gangs are ready to take over the position. Dislike of peat also occur regularly in the digital underworld.”

“Turf wars” also occur regularly in the digital underworld.

Derek Manky, Fortinet

The war is not over yet

The police may have won a small battle, but the war is far from over. LockBit says it will hit back with more attacks on government services to “challenge” the police. This threat is consistent with recent developments in cybercrime, Manky said. “Cybercrime is shifting towards the public sector. The more important an organization’s role, the greater the need to bring systems online quickly and the greater the opportunity for criminals to obtain large sums of money.”

“The cybercriminals’ playbook is evolving,” Manky continues. “We are seeing more and more destructive attacks: hackers are acting more aggressively. Cyberattacks are no longer limited to PCs. As IT and OT networks merge, attacks on OT ecosystems are spreading.”

Manky remains combative. “A world free of cybercrime may be difficult to achieve, but operations like this have a purpose. If only to send the message that we won’t just let ourselves be done like that. But in order to achieve a lasting impact, it is important to involve as many stakeholders as possible and not work in silos. “There has been a positive turnaround here in the last few years,” he draws an optimistic conclusion.