Trend Micro: LockBit ransomware gang's comeback is failing

LockBit is apparently struggling in its attempted comeback after an international law enforcement operation disrupted the ransomware gang in February.

International law enforcement agencies on Feb. 20 announced "Operation Cronos," a multipronged takedown effort led by the U.K.'s National Crime Agency intended to disrupt ransomware as a service (RaaS) titan LockBit. As part of the monthslong operation, law enforcement seized multiple domains connected to the gang, including its data leak site, as well as source code and more than 1,000 decryption keys. Law enforcement also gained substantial intelligence as part of the operation and arrested two suspected LockBit members, Ivan Kondratyev and Artur Sungatov.

Initial reports of post-disruption activity suggested LockBit could have made a rapid comeback, as the gang restored its servers with new .onion domains only a few days later. However, according to Trend Micro research published Wednesday, the ransomware giant is struggling to make a comeback.

Trend Micro's report provided a broad overview of Operation Cronos, the aftermath, a timeline of relevant events and an analysis of a new version of LockBit ransomware, known as "LockBit-NG-Dev." The bottom line, according to Trend Micro, is that LockBit's comeback is failing.

Foremost, LockBit suffered substantial reputational damage from the disruption effort, which was made highly visible given law enforcement's decision to publish a "rebranded" leak site to LockBit's .onion domain featuring agency press releases, decryption keys, back-end leaks and more.

In addition, when ransomware gang affiliates attempted to log in to their LockBit control panel, they "were greeted with a personalized message informing them that law enforcement had taken control and might be in touch with them," Trend Micro's report read.

Bob McArdle, Trend Micro's director of forward-looking threat research, told TechTarget Editorial that this name-and-shame reverse leak site tactic represented both an effective communication strategy for Operation Cronos as well as an understanding of how valuable LockBit's brand is in the ransomware community.

"I think it's a combination of two things. I think one is knowing doing that will get a lot of amplification, both in terms of media and underground chatter. That's already a good reason to do it," he said. "And then the second reason is that clear understanding that what set LockBit apart was its brand. If you're effectively defacing their website while simultaneously showing all the things that are wrong with them, that's about as damaging as you can get for a brand."

Traditionally, ransomware gangs would simply rebrand after a law enforcement takedown or disperse to other uncompromised ransomware gangs. The brand element is why the gang, which was one of the most prolific RaaS operations in the world, is seemingly still working on its recovery effort.

"The thing that set LockBit apart from any other ransomware vendor out there was their brand. Other ransomware had faster encryption or nicer user interfaces for the criminals," McArdle said. "But what LockBit had was that they had essentially been market leader with the most recognizable brand. When you attack the brand, they don't have anything else left over. They're not the most powerful product, they're not anything else. LockBit doesn't have a choice -- their unique selling point is the name LockBit. That's what they're trying their very best to hold on to."

LockBit's attempt at a rebound faces many hurdles. For example, the gang's operator, known as "LockBitSupp," was banned from the popular hacker forums Exploit and XSS. In addition, there has been barely any new activity attributed to LockBit since the takedown. Trend Micro's research also included a technical analysis of a new, in-development version of LockBit's ransomware, which features a completely new codebase following the takedown and law enforcement's seizure of the original source code.

Law enforcement agencies have made major strides in disrupting ransomware groups in recent years, be it LockBit or the Alphv/BlackCat and Hive takedowns last year. However, sustained ransomware disruption can prove particularly complicated, as threat actors often either rebrand or operate in nations where they aren't at risk of extradition.

This law enforcement name-and-shame tactic could represent a new way forward. Even if it was potentially intended as a means of drawing public and media attention to the disruption, McArdle said this could also become a new part of the playbook for dealing with ransomware gangs in a more sustainable way.

"Whether it was fully intentional or not, the result definitely sets a new benchmark for how you do a takedown-slash-disruption of a criminal group -- especially one where you can't arrest the key actors," he said. "You completely undermine their ability to do business. A secondary effect, which probably wasn't even predicted, was just how much paranoia it has spread in the criminal underground."

Trend Micro's report referenced this paranoia as well, stating that the disruption sparked "self-reflection" among other RaaS groups, which were eager to learn how LockBit was infiltrated by law enforcement. For example, the vendor observed a Snatch RaaS operator warning on their Telegram channel that they were all at risk. In addition, Trend Micro said members of the cybercrime underworld began questioning whether LockBitSupp had collaborated with law enforcement or government agencies.

"This is a subtle bonus stemming from the disruption operation: the spread of paranoia in the cybercriminal ecosystem. Other groups are now taking a closer look at what they need to do to reduce the risk of infiltration," the report read. "Anything that makes operating more difficult is a good thing in the fight against ransomware actors."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.