Dealing a lasting blow to a ransomware ring
Add Axios as your preferred source to
see more of our stories on Google.
Ransomware is a rampant, ever-evolving cybersecurity threat that has become an endemic problem for all organizations.
The big picture: Fighting the cybercriminal gangs behind these attacks has become a game of whack-a-mole.
- Law enforcement seizes a gang's servers and domains, dealing a temporary blow to its operations — only for the hackers to rebuild and relaunch their attacks a few months later.
Between the lines: The 2024 takedown of LockBit was different. The perpetrators are still struggling to recover nearly a year later.
Driving the news: A new Axios analysis of the LockBit indictments provides one of the clearest views inside a ransomware gang's operations.
- The documents shared details about what a LockBit attack looked like, who operated the gang, and how LockBit communicated with freelancers who helped along the way.
By the numbers: LockBit had attacked more than 2,500 organizations worldwide prior to the takedown, according to the U.S. Justice Department.
- Over the years, victims included major corporations like Boeing and even a children's hospital.
The intrigue: The LockBit takedown is one of the only examples of law enforcement destroying a cybercriminal operations' brand reputation, alongside its technical infrastructure.
- Investigators took over the ransomware gang's dark-web site to troll its operators.
- They posted countdowns for when they'd reveal new sensitive information about the group and published a free decryption tool for victims.
What they're saying: "Our goal was to make LockBit, the variant itself in the technical ecosystem, radioactive," Brett Leatherman, deputy assistant director of the FBI's cyber operations, told Axios.
Zoom in: By many accounts, that strategy has worked so far. It's difficult to rebrand when the foundation of the brand has been destroyed and mocked.
- The gang's operator was banned from popular hacker forums Exploit and XSS, making it difficult for him to recruit new members, according to a Trend Micro report.
- Any remaining affiliates who wanted to keep working with LockBit no longer had access to the famed control panel. Whenever they opened it, they would get a message saying "law enforcement had taken control and might be in touch with them," per Trend Micro.
What we're watching: LockBit warned last month that it's planning to launch a new version of its ransomware Feb. 3.
- The gang is planning to launch five different dark-web sites, an indication that it could be strengthening its operations.
Go deeper: How a ransomware attack works
