Post-LockBit, How Will the Ransomware Ecosystem Evolve?

•
February 23, 2024    

Once the dust settles on the LockBit disruption, what will be the state of ransomware?

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Expect attackers to continue refining their tactics for maximizing profits via a grab bag of the same strategies, including forcibly encrypting systems and charging for a decryptor, stealing data and threatening to dump it, creating scary public personae, or a combination of the above.

LockBit, which was disrupted this week by law enforcement, is one of the most successful ransomware groups in history. Canadian intelligence tied it to 44% of all ransomware attacks globally in 2022. Blockchain analytics firm Chainalysis said that since the start of 2023, LockBit has received the second-highest amount of traceable ransom payments of any ransomware group.

All that appears to have ended, at least for now. “We have hacked the hackers,” National Crime Agency Director General Graeme Biggar said this week of the joint operation, which featured 10 countries’ law enforcement agencies. It disrupted the group’s infrastructure, arrested suspects in Poland and Ukraine, sanctioned multiple Russians and more (see: Breach Roundup: More Fallout From the LockBit Takedown).

“It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the agency and our partners,” Biggar said.

All hail the disruption, which will make life more difficult for LockBit and its affiliates and contractors and hopefully drive some of them to rethink their life choices.

Even so, many of the individuals involved will likely carry on, either with a rebooted LockBit or any number of other ransomware groups.

In part, that’s because ransomware is an ecosystem comprised not just of ransomware administrators and their crypto-locking malware developers but also affiliates who use the malware to infect victims, any contractors the groups hire, plus the initial access brokers who sell or provide ready-to-use remote “accesses” to sites, money launderers who clean the cryptocurrency that victims pay as a ransom, and many others.

As ransomware profits appear to have reached an all-time high in 2023 – exceeding $1 billion by Chainalysis’ reckoning – why would criminals shy away from continuing to use ransomware, especially since so many appear to be based in Russia? Moscow never extradites citizens accused of crimes abroad, and where ransomware is concerned the government may well tolerate or take a more direct role in “cybercrime” attacks launched against its Western adversaries, given the disruption such attacks cause.

Criminally Larger Than Life

Since ransomware revenue remains too good for many criminally inclined individuals to pass up, the pressing question becomes: What can defenders learn from the takedown of LockBit?

For starters, what made LockBit special, in part, was that following in the footsteps of groups such as REvil – aka Sodinokibi – the group managed to cultivate an outsized public persona.

This came in the form of the “LockBit Support” or “LockBitSupp” persona, which investigators hinted they might unmask Friday but then did not, stating cryptically that they were “engaged” with LockBitSupp.

Regardless, LockBitSupp expertly manipulated the media, which helped to keep the group in the public eye. At one time, that helped the group recruit affiliates. Until recently, making the group look like an unstoppable hacking force likely drove more victims to quickly pay up, not least to avoid their name being added to the group’s “name and shame” blog.

TTPs on Repeat

LockBit also distinguished itself by providing affiliates with fast-acting and easy-to-use crypto-locking malware as well as data exfiltration tools. The U.S. Cybersecurity and Infrastructure Security Agency said all this made ransomware profits “accessible to those with a lower degree of technical skill.”

Even so, before deploying ransomware, attackers need to employ tactics, techniques and procedures that enable them to access a victim’s network, conduct reconnaissance, find systems to infect and potentially first exfiltrate data.

Cybersecurity firm Secureworks helped LockBit victims respond to attacks on a number of occasions after the criminal group launched in late 2019. “For the most part, LockBit’s affiliates use the same TTPs as other groups engaged in ransomware,” it said. “Detecting precursor activity is crucial to defending against the threat.”

Many attacks probed by the firm used “living off the land” tactics, meaning attackers employed legitimate tools, sometimes with a high degree of persistence, to accomplish their attacks. One problem with LOTL tactics is that they often look legitimate and thus can be difficult to detect.

In other LockBit incidents investigated by Secureworks, attackers exploited the Citrix Bleed buffer overflow vulnerability – CVE-2023-4966 – in NetScaler ADC and NetScaler Gateway, infected victims by using search engine optimization poisoning to direct them to malware that downloaded Cobalt Strike beacons, pwned test environments, hacked remote desktop protocol connections protected using a single factor, and used many more strategies. In some cases, attackers then forcibly encrypted systems, although sometimes they only stole data and held it to ransom.

Info Stealer Entree

In another attack the firm investigated, the problem began when an administrator-downloaded cracked software that came bundled with Redline information stealing malware, which harvested the employee’s credentials.

One week later, LockBit-wielding attackers used those credentials to gain access to the environment, spent a day reviewing available files and then spent 90 minutes exfiltrating the data, likely by using the group’s dedicated StealBit data-stealing tool. Afterward, the attacker used the legitimate PsExec tool to run programs on remote systems and install the ransomware. “The IP addresses of the targeted hosts were listed in a text file that the threat actor had created during the discovery phase of the intrusion,” Secureworks said.

Security experts continue to warn that beyond having good cybersecurity hygiene, time remains of the essence when detecting ransomware. Spotting the signs early helps organizations eject attackers before they have a chance to steal data or unleash crypto-locking malware.

Cybersecurity firm Sophos reported that in the first half of last year, ransomware attackers’ dwell time dropped from an average of nine days to just five days. “There was one attack that was 2 hours and 12 minutes from start to finish,” Chester Wisniewski, field CTO for applied research at Sophos, told Information Security Media Group.

While LockBit is now hopefully on the rocks, organizations need to be aware that other ransomware groups will continue to come at them – and fast.