Yesterday, an international operation coordinated between government agencies from the United States, Great Britain, Europol and allies from 10 countries was carried out, which allowed taking down an important part of the infrastructure of the Lockbit ransomware gang, which was named Cronos. In this operation, law enforcement was able to take control of 34 servers, including the one that hosted the trading portal with the victims, in addition to freezing more than 200 accounts or cryptocurrency wallets used to obtain money from the victims, also added several arrests made and others in progress. Lockbit is one of the most active ransomware gangs, with the largest number of known victims worldwide, affecting companies of all sizes, many of those victim companies are from Mexico. It is worth noting that practically all the statistics published so far were based on public data from Lockbit’s website and/or those victims who reported the attacks, so it is possible that the real number of the impact is much higher. According to their portal, they had a share of about 25% of the ransomware market, followed by AlphV/BlackCat with about 8.5%. It is a Ransomware-as-a-Service (RaaS) type program, emerged in January 2020. They had launched the service with LockBit 1.0, but since then they had released new versions known as LockBit 2.0 (LockBit Red), LockBit 3.0 (LockBit Black), LockBit Linux/ESXI, LockBit Green and were even already working on the development of the latest release LockBit 4.0. It is one of the pioneer gangs in addressing ransomware as a global business opportunity and that aligned its operations in a scalable way through affiliates, with an exponential growth rate that allowed to generate a huge impact, by disrupting thousands of businesses and causing huge financial losses, directly or indirectly, as well as a negative impact on the lives of very many affected. The criminal group’s profits are estimated to be in excess of US$90 million.
As for the tactics, techniques and tools (TTPs) of Lockbit and its affiliates, their initial access vectors to victims’ networks were diverse and depended on each affiliate, usually exploiting known vulnerabilities in Internet-exposed devices – such as edge routers or firewalls from different vendors – and then infiltrating into the network’s internal systems. The main vulnerabilities known to have been exploited by the gang are:
- CVE-2021-22986, F5 iControl REST Unauthenticated Remote Code Execution vulnerability
- CVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution Vulnerability
- CVE-2023-27350: PaperCut MF/NG Poor Access Control Vulnerability
- CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability
- CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability
- CVE-2020-1472: NetLogon privilege escalation vulnerability
- CVE-2019-0708: Microsoft Remote Desktop Services (RDP) remote code execution vulnerability
- CVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN) Path Traversal vulnerability.
Like many of today’s ransomware gangs, once the first computer on the network is compromised, they seek to use well-known and seemingly reliable tools, which are sometimes even already present on the victim’s computers, as they are also used by the IT team in administrative functions, such as TeamViewer, AnyDesk, FileZilla, WinSCP, RClone, PuTTY, Microsoft Sysinternals PsExec, MEGA Sync, Advanced-IPScanner, etc. This tactic is known as “Living-off-the-Land” (LotL), which today poses one of the biggest difficulties for cybersecurity experts, because these processes and tools can be camouflaged as legitimate activity and go unnoticed even by monitoring teams. According to unofficial information from Lockbit’s own operators, law enforcement exploited a remote code execution (RCE) vulnerability in PHP 8.0.* – CVE-2023-3824 – a stack buffer overflow vulnerability affecting its portal. Having taken control of the infrastructure, law enforcement was able to get an inside look at the band’s trading and operations portals. Several of these sites were published by law enforcement in order to understand and study the dynamics of cybercrime.
Among other things, it became evident that the criminals have kept information and data on the victims, including cases in which they have paid, in clear violation of what was promised during the negotiation. This confirms suspicions that, in many cases, agreeing to pay is not a guarantee that the criminals will actually delete the exfiltrated files, which may then be used for other purposes. As part of Operation Cronos, law enforcement also managed to recover more than 1,000 decryption keys from the seized LockBit servers, through which they developed a LockBit 3.0 decryption tool, which is now available for free through the No More Ransom portal: https://www.nomoreransom.org/en/decryption-tools.html. In case your organization has been a victim of Lockbit and you still have encrypted files that you have not yet been able to recover, we recommend using this tool to try to decrypt them. The FBI has set up a form for all Lockbit victims who wish to participate in the prosecution of the gang members, which will take place in the United States. Victims can participate either as part of the impact statement or by seeking restitution for damages, or for those victims who require information or assistance. The form is available to victims both inside and outside the U.S.: https://lockbitvictims.ic3.gov. While it is possible that the gang may seek to regroup and continue its criminal operations, this operation is a major blow to cybercrime and sends an important message against the feeling of impunity for cybercriminals.
Sources:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
