CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
49.2%
In a coordinated effort by National Crime Agency, Europol and multiple other internation law enforcement agencies dealt a significant blow to the operations of the LockBit ransomware group. Dubbed Operation Cronos, this multi-agency initiative led to the seizure of LockBit's dark web portal and in a swift transition, the portal was repurposed into a knowledge base housing critical information for victims and stakeholders. As part of the operation, law enforcement agencies dismantled numerous servers associated with LockBit, seized multiple cryptocurrency wallets linked to illicit activities, and recovered a substantial number of decryption keys.
LockBit's emergence in 2019 marked the beginning of its evolution into a nefarious Ransomware-as-a-Service (RaaS) operation. Since late 2021, LockBit has maintained a relentless pace, consistently targeting approximately 200 victims per quarter. It has more than 2,300 victims documented within its dark web portal, however, it's important to note that these figures may not encompass all victims, as some may have engaged with LockBit offline, outside of its dark web portal.
LockBit coded in C/C++ utilizes a customized AES+ECC cipher, employing a unique encryption method that targets only the initial 4 KB of each file. This strategic approach renders the files unstable, speeding up the attack and providing defenders very less time to stop the attack. Its encryptor has undergone numerous iterations and developments, evolving into a highly sophisticated weapon in the realm of cybercrime.
Moreover, a forthcoming .NET-based iteration, Lockbit-NG-Dev, at an advanced development stage was also discovered in recent attack. Each of these versions aimed to improve encryption strength and evade detection.
LockBit hack is purported to be the exploitation of a PHP flaw either CVE-2023-3824, a buffer overflow leading to RCE or a zero-day in PHP. The exploitation enabled Enforcement agencies to take over their dark web portal, victimโs admin server and chat servers running vulnerable PHP version. The agencies seized LockBitโs site and skillfully converted it into a knowledge base maintaining its distinctive LockBit aesthetic. Their operation resulted in the dismantling of 28 servers, the recovery of over 1,000 decryption keys, and the acquisition of the platform's source code. Additionally, they effectively blocked 200 crypto accounts associated with illicit activities and flagged over 14,000 rogue accounts worldwide for removal. Additionally, Agencies have destroyed all StealBit proxy servers, LockBit's exfiltration platform, severely limiting its functionality.
One notable aspect of Operation Cronos was the access gained to LockBit's affiliates panel. Federal agencies leveraged this access to gather valuable intelligence, including affiliate nicknames, chat histories, Bitcoin wallet addresses, and IP information. Around 190 affiliates were discovered, and outreach efforts were initiated with affiliates, marking a proactive approach to engage with individuals connected to criminal enterprises.
LockBit resurfaced on 24th Feb with a new tor site and a list of victims. It managed to restore itself from backup servers which didnโt had vulnerable PHP versions. In a follow-up message, LockBit claimed that the agencies targeted its infrastructure following a ransomware attack on Fulton County in January, which potentially compromised sensitive documents relevant to upcoming U.S. elections. They called for more frequent attacks on the ".gov sector" and revealed that the authorities obtained only 2.5% of decryption keys.
Acknowledging their previous lapses in patching vulnerabilities, the group has pledged to enhance their security measures proactively. In response to evolving threats, they have refined the trial decryption process, opting to avoid storing keys on the portal servers to mitigate potential risks. Additionally, the group has issued a call-to-action for new affiliates to join their ranks, aiming to bolster their operational capabilities and expand their network.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
49.2%