0

Ransomware Group Takedown Will Have Impact | #ransomware | #cybercrime


Cybercrime
,
Cybercrime as-a-service
,
Fraud Management & Cybercrime

Even if Group Reboots, Disruption Already Stands as a Success, Experts Say


February 20, 2024    

Image: Shutterstock

Blue Monday arrived late this year for the LockBit ransomware-as-a-service group, after an international coalition of law enforcement agencies seized swathes of its infrastructure.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government


LockBit’s Tor-based data leak site suffered an unexpected makeover Monday, when instead of listing non-paying victims and publishing stolen data, it read: “We can confirm that LockBit’s services have been disrupted as a result of international law enforcement action – this is an ongoing and developing operation.” Authorities promised to soon release additional details.


Authorities also posted a message – later published by malware research group vx-underground – to the ransomware group’s affiliate panel. “Law enforcement has taken control of Lockbit’s platform and obtained all the information held on there,” including source code, details of shakedowns and stolen data, chats and more, reads the message, signed by the U.K. National Crime Agency, FBI, Europol, as well as the wider “Operation Cronos Law Enforcement Task Force.”


“You can thank LockBitSupp and their flawed infrastructure for this situation,” the message adds, referring to the group’s leadership persona. “We may be in touch with you very soon.”


“FBI pwned me,” LockBitSupp told vx-underground.


Score one for the good guys against this gang of cybercrime scum. “Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win,” said Chester Wisniewski, global field CTO at Sophos.


That LockBitSupp persona has appeared to be run by one or two individuals, including the group’s leader, according to Jon DiMaggio, chief security strategist at threat intelligence firm Analyst1. In this case, of course, perhaps it was an FBI special agent, if law enforcement successfully infiltrated the group’s operations.


LockBitSupp subsequently told vx-underground that law enforcement compromised its infrastructure by exploiting a vulnerability in certain versions of PHP, designated CVE-2023-3824. First detailed in August 2023, when a researcher published proof-of-concept exploit code, the “critical” vulnerability exists in certain versions of 8.0.x, 8.1.x and 8.2.x, when loading a .phar package file or reading a .phar file directory. Due to the flaw, “insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption” and the threat of remote code execution, according to the U.S. National Vulnerability Database. Developers began releasing patches for the flaw not long after it researchers first posted public details.


Will the LockBit disruption stick?


Certainly many of the main players appear to remain at large. “It is very unlikely that the core of the LockBit group, which is based in Russia, will be arrested but this disruption will have a significant impact on the ransomware ecosystem and we should enjoy that disruption before we get quickly back to building our defenses,” said Allan Liska, a principal intelligence analyst with Recorded Future.




Ransomware groups are nothing if not savvy self-promoters, never hesitating to try and add their own, weaponized marketing spin to any situation.


True to form, after the international police sting, LockBitSupp emailed a faux “data breach notification” to the group’s affiliates, subsequently circulated by security researchers.


“We are reaching out to inform you of a recent security incident that may have affected your personal information,” the message reads. “LockBit takes the security of your data seriously, and we are committed to maintaining the highest standards of data protection.”


Security experts have long reported that LockBit, as well as its ego-centric leader, despite their one-time popularity, seemed to be going off the rails.


LockBit cemented a reputation for being a “bottom feeder of the dark web,” driven by a perception among other ransomware group administrators that the head of LockBit was “always being drunk and talking to journalists,” Yelisey Bohuslavskiy, co-founder and chief research officer at RedSense, recently told me.


Last summer, DiMaggio reported the group had failed to scale its infrastructure to pace an explosion in its popularity with criminals, due in part to its leadership failing to retain technical talent. As a result, the group was failing in multiple ways that the leadership was attempting to cover up, including oftentimes not leaking stolen data for victims who didn’t meet its ransom demands.


Technically, DiMaggio said the group, which at one time had a reputation for having sophisticated and fast-acting crypto-malware, failed to meet milestones for putting out new versions of its ransomware. Instead, the group rebranded a previously leaked Conti locker.


At the time of the takedown, Bohuslavskiy described the group as attempting to portray itself as still being big and bad. In reality, at this “surface” layer, the group was “comically low-capability: fake claims, lack of payments, constant affiliate scams, and ‘LockBitSupp’ serving as a mere distraction for actual operations,” he said in a Monday LinkedIn post.


That public persona obscured the fact that LockBit remained in business only thanks to its use of “ghost groups,” meaning “using outsourced labor from other groups and then claiming it as their own,” including former members of BlackCat and active members of Zeon, Marley Smith, principal threat researcher at RedSense, recently told me.


Ransomware operations’ impetus for using ghost groups – typically, independent contractors who previously worked for the Russian-speaking Conti group – is to compensate for a lack of technically talent and “to maintain a certain level of mystique and power that they need” to keep attracting affiliates and scaring victims into paying, Smith said.


Post-takedown, contract talent hired by LockBit will likely remain so long as they’re still getting paid, but that doesn’t mean they won’t face fatigue and a hit to morale by having to rebuild, Bohuslavskiy said.


“Even if these operations continue as normal, the small pool of elite pentesters will most likely continue to be fatigued and quit in the event of another major takedown,” he said. “This is exactly why takedowns work, and this is why this operation should already be considered a success.”





Source link

.........................

National Cyber Security

FREE
VIEW