The LockBit Takedown

The LockBit Takedown

The Dark Dive takes a forensic look at Operation Cronos, the international law enforcement takedown of the LockBit ransomware group.

This episode of The Dark Dive takes a forensic look at Operation Cronos, the international law enforcement operation targeting LockBit – one of the most infamous ransomware groups.

Dr. Gareth Owenson and Louise Ferrett give an overview of LockBit, explain how Operation Cronos has unfolded, and discuss why law enforcement has taken an unconventional approach (“the most epic trolling in cybersecurity history”) to this ransomware group takedown.


Aidan Murphy - Searchlight Cyber

Aidan Murphy


Dr. Gareth Owenson - Searchlight Cyber - Co-Founder and CTO- Leadership team

Dr. Gareth Owenson

Co-Founder and CTO of Searchlight Cyber

Louise Ferrett

Senior Threat Intelligence Analyst at Searchlight Cyber

Recorded on May 14, 2024, this Episode of The Dark Dive Covers:

The Unmasking of LockBitSupp

The admin behind the LockBit ransomware group who the FBI has named as Dimitry Khoroshev.

How LockBit Responded to Operation Cronos

Including analysis of a 3,000+ word statement that the LockBit admin published in the aftermath of the first stage of Operation Cronos in February 2024.

How This Operation Has (And Could Still) Impact Other Ransomware Groups

With the BlackCat ransomware gang choosing early retirement shortly after Operation Cronos was announced earlier this year.


Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host. This episode follows the first series that we released in March covering the fundamentals of the dark web, including how it works, dark web marketplaces, forums, ransomware groups, and much more. So, if you like what...

Aidan Murphy: Hello, and welcome to another episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’m your host. This episode follows the first series that we released in March covering the fundamentals of the dark web, including how it works, dark web marketplaces, forums, ransomware groups, and much more. So, if you like what you hear on the podcast today make sure you go back and listen to that. From now on, we’re going to be releasing an episode a month based on a topic that is timely, or maybe has been in the news. This month, we’re focusing in on one of the biggest developments in cybercrime since we recorded our first series: the international law enforcement operation against the notorious ransomware group LockBit. We’re going to take a deep dive into everything we know about LockBit, how the law enforcement operation called Operation Cronos has panned out, and its impact on the ransomware scene. To do that I’m joined by two voices that are going to be very familiar to regular listeners of The Dark Dive. Dr Gareth Owenson, an authority in the realm of dark web technologies, and now CTO of Searchlight Cyber, the company he co-founded to help combat crime on the dark web. Hello, Gareth. 

(TC: 00:01:16) 

Dr Gareth Owenson: Hi. 

(TC: 00:01:17) 

Aidan Murphy: Louise Ferrett, a senior threat intelligence analyst who has spends her days scouring the dark web, observing the latest trends in developments, and identifying sources that threat intelligence teams can use to protect against the latest attacks. Hello, Louise. 

(TC: 00:01:29) 

Louise Ferrett: Hello. 

(TC: 00:01:30) 

Aidan Murphy: So, we’re here to discuss this major law enforcement operation against the ransomware group known as LockBit. I wondered, Louise, if you could maybe share your expertise, and provide us with a bit of an overview of the group who are LockBit? 

(TC: 00:01:45) 

Louise Ferrett: I think most outlets have a pretty similar, sort of, LockBit origin story. Originally known as ABCD ransomware, just because that was, sort of, what would be appended on to encrypted files when they first started attacks. Not to get too ahead of myself, but one of the accounts that was mentioned in the latest indictment as being linked to the operator, you can actually see them advertising and unnamed ransomware I think it’s August 2019, which is shortly before the date that again most outlets put LockBit as, kind of, starting. So, LockBit is generally believed to have been formed as a ransomware as a service group in September 2019. So, the general background, they were far and away, sort of, the most successful ransomware as a service operation. They had a very public presence on the cyber criminal forums. Primarily, through the now infamous forum account LockBitSupp. They would not only be advertising their ransomware as a service scheme, and trying to recruit affiliates, but they had also, kind of, got into feuds with other ransomware gangs. REvil, and BlackCat, or AlphV, are two examples. 

Whoever was behind LockBitSupp, which I’m sure we’ll get into, once offered $10 million I believe to anyone that could de-anonymize them. I know this is a favorite of yours, Aidan, they also ran a $1,000 giveaway to anyone that would get their logo, so the LockBit logo tattooed on themselves. In the world of cybercrime, like, very savvy marketers also just completely running riot, and encrypting thousands of companies, and posting their data on their dark web leak site. 

(TC: 00:03:58) 

Aidan Murphy: Interesting. So, the picture you’re painting, Louise, is of a group that I guess is slightly infamous. Notorious for, kind of, bad behavior, and like you say, almost publicity stunts. I think it’s worth probably calling out a couple of things that you mentioned there. So, you said that they’re a ransomware as a service group. If people have listened to our ransomware podcast before they’ll probably know what that is, but I guess maybe for the listener who doesn’t know, could you explain how that works? Basically, we’re talking about a group that’s racked up thousands of victims, but it’s not just one guy behind it, is it? 

(TC: 00:04:30) 

Louise Ferrett: That’s right. So, ransomware as a service refers to this, sort of, structure of operations in the cybercrime underground where one person, or a small group of people, will be responsible for developing the ransomware and administration responsibilities. And then the actual attacks, so gaining access to corporate networks and deploying the ransomware, are carried out by what is known as affiliates. So, you can think of it as, kind of, the core developer admin, or developer admin group in the middle, with all these affiliates spidering off. Basically, kind of, independent contractors. So, they get access to the ransomware, which is likely going to be more sophisticated than something they could make themselves or buy off of a cyber criminal forum or market. They get access to that, and in return, they pay a percentage of whatever ransom that they’re able to extort out of the victim company to the core developer admin group essentially. 

(TC: 00:05:54) 

Aidan Murphy: It’s true, this kind of ransomware is a service model that groups like LockBit, not just LockBit but others, are able to hit so many victims, because there are multiple people working on it. So, just to put some numbers around this. So, there are various figures, kind of, being used by law enforcement at the moment to discuss the number of LockBit victims that there are, but they’re all pretty consistent, and being in the thousands. In our own study on the number of victims that ransomware gangs list on their dark websites, LockBit has been the top for the past two years, listing more than a thousand victims last year alone. Obviously, there are some issues with those numbers, they could be claiming victims that aren’t really victims, or they could not be posting victims on their dark website for particular reasons, but this gives an indication of, I guess, how prolific this group is. As you mentioned, Louise, it’s fair to say that LockBit have become basically the most prolific, well, had become the most prolific group in terms of the ransomware sea. 

(TC: 00:06:58) 

Louise Ferrett: Yes, I’d say that’s fair. They’re, kind of, the ones that even people that don’t really know anything about cybersecurity would have had a fair chance of hearing about in a news report, or something similar. 

(TC: 00:07:14) 

Aidan Murphy: Yes, or see someone walking around with a LockBit tattoo. That might be where they found out about them. So, I mean, I guess that fits. So, this major law enforcement operation, Operation Cronos. I mean, I don’t know how law enforcement name these things, but Cronos is the main Titan, and father of Zeus. So, we’re assuming that’s some allusion to the fact the fact that they’re taking on one of the biggest groups out there. Gareth, I wondered if maybe you could give us a little bit of a rundown of Operation Cronos, and, I guess, the nature of the operation? It seems to be a bit of a law enforcement operation with a twist. It would be good to, yes, just get a general overview from you on how it’s unfolded. 

(TC: 00:07:53) 

Dr Gareth Owenson: Yes, so, sure. I mean, the way most of these ransomware groups work is they have on the dark web a website, typically a leak site, where all of the victims which they hack, let’s say they hack the NHS, for example, they’ll demand a ransom from the NHS. They will also publish a little section on their website saying, you know, they’ve compromised NHS. Often showing a countdown to when they’re going to release the files, which they’ve stolen from the NHS. Now if the NHS pay the ransom they’ll provide the NHS with a decryption key, at least most of the time, and then they won’t publish the files on that blog, and they’ll remove them from it. So, LockBit had a leak site, obviously called the LockBit Blog, where they had a large number of tiles representing each of the victims which they’d hacked over time. Now some of those tiles, you know, if you clicked on them you got the files, because the victim hadn’t paid the ransom. Some of them were companies which had been hacked, and the information was to be released at some point in the future. Normally, that meant that the tiles had a countdown timer on them to the time in which those files were going to be released. 

The leak site for most ransomware groups is essentially their public facing image to the rest of the world, and it shows the activity which they’re involved in. As you guys said earlier, LockBit was one of the most prolific groups in terms of the number of victims which they went after. Now back in February the LockBit leak site got replaced with a holding page showing the logos of an international consortium of law enforcement agencies, saying, ‘Please, come back on,’ you know, ‘Tuesday, 8:00pm,’ for example, ‘And there will be more revealed.’ When people returned on Tuesday they saw the LockBit leak site in the same style, design, etc, which he was leaking victims, but with the law enforcement logos along the top. A messaging saying that the site had been seized, and then each of the tiles which normally would represent compromised victims was essentially a law enforcement information tile. The first one being press releases. The second one being, ‘Who is LockBitSupp?’ the guy that’s supposedly running LockBit. Then a bunch of other ones showing information which had been stolen from LockBit servers, and things like that. 

Now all of these tiles had countdowns just like victims would do, and so over the course of that week progressively more and more information got released about the LockBit operation, you know, the work that had been doing across different agencies, and even with some private companies to reveal the details of their operation. Some of those tiles included information which had been stolen from LockBit servers detailing the actual operations behind them, who some of the affiliates were, where some of the money had flowed from the LockBit operation, as well as other sorts of private communications from behind the scenes. Now the whole week was building up to a crescendo at the end on a Friday, where one of the tiles was labeled, ‘Who is LockBitSupp?’ LockBitSupp, as I said, being the administrator. On the Friday morning the details were supposed to be released I think at about 7:00am English time, and a little banner popped up on the tile saying, ‘Extended until midday.’ 

Then at midday whilst everyone’s expecting the name of LockBitSupp to be revealed, the tile expired, and when you clicked there, the LockBitSupp tile, you essentially got a series of messages saying, ‘We know who he is. We know where he lives. We know what types of cars he’s got.’ Then a, sort of, picture of a cat, which I think is referring to something personal to him. Then a message at the very bottom saying that LockBitSupp was operating with law enforcement, was working with law enforcement. Didn’t actually reveal his identity, but it, sort of, alluded to the fact that they knew who it was. 

(TC: 00:11:34) 

Aidan Murphy: So, it’s fair to say this is not usual practice for a law enforcement take-down. This is quite an elaborate, prank is probably the wrong word, but it’s almost, kind of, trolling of LockBit. Is that, kind of, fair to say, and what do you think is the objective behind doing it in this way? 

(TC: 00:11:52) 

Dr Gareth Owenson: Yes, so almost up until recently what ordinarily happens when law enforcement take over a dark net website is they replace it with a seizure banner saying, ‘This website has been seized,’ and usually, a smattering of logos from the agencies which have been involved. With LockBit, it was clearly like a cy-ops campaign basically to discredit the guy, and to drive a wedge between him and the affiliates. To show that LockBit has been compromised, you can’t trust him, because ultimately LockBit depends on his affiliates, right, for his business. So, they’re the ones that are actually going out and gaining access to companies, and launching the ransomware, and then he’s taking a cut of the money. Now if the affiliates lose trust in him then, you know, his business is essentially over. So, I think that was really the purpose of the operation. It was to not only disrupt LockBit, but also to discredit him among the people that are essentially bringing him his business. All indications are that was relatively successful. I was somewhat skeptical of it when I saw it initially, but actually we saw immediately after the operation a huge drop in the number of victims which the guy was hacking. 

(TC: 00:12:57) 

Aidan Murphy: Yes, amazing. So, we’re going to get, of course, some figures around that as well. So, we’ll go into that detail on, kind of, the impact of this initial element of the operation in February. I guess, just to point out it out, so as well as this slightly more elaborate element, there were some traditional parts behind this operation. So, their seized infrastructure related to LockBit, and their data exfiltration tool, 28 servers, obtained 1,000 decryption keys, froze more than 200 cryptocurrency accounts, and Europol arrested two people that they have said are alleged to be LockBit members. So, I guess, yes, as you say, Gareth, it’s combining this traditional element, what would usually be a seizure notice, and maybe some press releases around the arrested individuals, with this more elaborate element possibly designed to discredit LockBit, and demonstrate just how much of their infrastructure had been compromised. So, as you mentioned, Gareth, there was the impact of the operation. I don’t know, Louise, maybe, first of all, how did we see it impact LockBit as a group? 

(TC: 00:14:02) 

Louise Ferrett: So, like Gareth mentioned, we did see an initial drop the amount of victims that they were posting. Obviously, the original leak site had been taken over by law enforcement, but a new one was quickly stood up. LockBitSupp also released a statement basically copping to their faults. I’m pretty sure it was a vulnerability that they had failed to patch, or at least they claimed it was due to a vulnerability that they had failed to patch that law enforcement were able to get access. They remained steadfast in their commitment, I guess, to ransomware as many companies as possible, and we quite confident that this wasn’t going to stop them, or slow them down. 

(TC: 00:14:59) 

Aidan Murphy: I think we could do a whole podcast just on the statement alone. So, just to give listeners an idea of this, and we can add a link to it in to the show notes as well. This statement was 3,000 words long. So, pretty comprehensive. Yes, so they said that they believed that their attacks were a compromised version of PHP. I was struck, as I am always struck, and Louise knows this, because I’m often sharing bits of quotes from people, with the language that they use, and the way they reacted to the attack. One thing I remember asking you at the time about, Louise, is they seemed to imply that they were based out of the US, and that they would vote for Donald Trump. Later developments seemed to suggest that that is not the case. 

(TC: 00:15:44) 

Louise Ferrett: Yes, I mean, this guy has pretty much claimed to be from everywhere. I’ve seen him claiming that he was in China before. I’ve seen him claiming that he was in Europe, and, yes, like you said, America. I think there is, like, a concept, right, like a Russian misinformation concept of just always lie. 

(TC: 00:16:05) 

Dr Gareth Owenson: It’s like a barefaced lie, isn’t it? Everyone knows you’re lying, but you do it to save face. 

(TC: 00:16:09) 

Louise Ferrett: Yes, exactly. 

(TC: 00:16:10) 

Dr Gareth Owenson: Yes, I mean, we saw with the Novichok guys, right. Where they did the Novichok in Salisbury. Basically, came out and did a bunch of lies about what they were there for, and it was just so comical. Comically bad lighting. I think that’s part of the way in which these guys operate. 

(TC: 00:16:25) 

Louise Ferrett: Yes, it’s, kind of, a power play, right. It’s, like, ‘We know that we’re lying. You know that we’re lying, but there’s not really much that you can do about it.’ 

(TC: 00:16:33) 

Aidan Murphy: I think in the statement, I mean, I was struck by the bravado as well. He talks about spending his time swimming in money, and that’s why he became a bit lax on his security, because he was busy, as he put it, ‘On his yacht with his girls.’ 

(TC: 00:16:47) 

Dr Gareth Owenson: Is that the phrase he used, ‘With his girls,’ is it? 

(TC: 00:16:50) 

Aidan Murphy: He actually used a slightly more graphic phrase, but I’m not going to use the phrase, because my mum listens to this. Yes, so I’m always slightly struck by the bravado. One interesting other element just to mention is that he claimed, again, claimed is a very important word here, that the FBI had decided to come down on him so hard because he has files relating to the presidential election. So, it’s a very interesting statement. I would encourage listeners to have a read for yourselves, but keeping in mind that we are obviously dealing with a criminal who has an interest in spreading misinformation, as Louise correctly says, but it is interesting to read. We got his direct response. He did a bit that he had security lapses, and that was probably how he was compromised. As you say, Louise, he vowed to carry on, and in even in that statement said that he was recruiting for more affiliates. You mentioned that there is evidence that his victim count was actually down following that initial law enforcement operation in February. 

(TC: 00:17:57) 

Louise Ferrett: Yes, we did see a drop, and that was, sort of, when we started to see a slight uptick in re-posts. So, that’s been pretty, sort of, front and center of the discussions online about LockBit. On the one hand people are, like, ‘Well, they’re still posting victims, so are still pretty active,’ but quite a lot of ransomware gangs will re-post victims. I don’t know if they get short on material, or maybe forget that they have already posted it, or it can even be a second attack on the same company, because obviously you’ve got multiple affiliates working independently. 

(TC: 00:18:40) 

Aidan Murphy: So, when you say re-posts, he’s posting the same organizations again, and claiming to have hacked them? 

(TC: 00:18:45) 

Louise Ferrett: Yes. So, it would be organizations that have already been posted on site, and maybe failed to extort the ransom from them, may have already released the data, or may have decided not to yet, re-posting those same victims. 

(TC: 00:19:03) 

Dr Gareth Owenson: I mean, one of the most amusing things about it was it was pretty much the most epic troll we’ve ever seen in cybersecurity history. It was just absolutely filled with Easter eggs, and stuff like that. Just all aimed at trolling the guy. You know, if you look, one of the tiles they had screenshots from all of his back-end infrastructure. You look at the file names, it’s, like, ‘Oh, that’s not good, .JPEG. Oh, no, there’s more .JPEG,’ and stuff like that. You looked at the view counts, and they’ve got references to hacker culture with, like, 1337, meaning, ‘Leet, we cloned them,’ type thing. The website was littered with all this stuff. Incredibly amusing watching all the reactions on Twitter, and all the memes which came out. The guy frankly humiliated, right, by the operation in every which way. It’s very difficult to come back from that, I think. 

(TC: 00:19:53) 

Aidan Murphy: Yes, and as you said, we’re just hypothesizing, that may have been why law enforcement took this option, to discredit the guy, to, I guess, yes, effectively humiliate him, and make it difficult for people to work with him. Louise, do you have a sense of what the reaction was among the dark web community, people in hacking forums? Obviously, yes, I was on Twitter at the time, so I saw how the cybersecurity community reacted pretty much with glee, but how did the more criminal element react on the other side?

(TC: 00:20:25) 

Louise Ferrett: There was obviously quite a lot of discussion about it on the main ransomware focused forums. LockBit has always been, kind of, a divisive figure in the cyber criminal underground. So, that was, kind of, reflected in this. You had detractors, kind of, celebrating, and saying, ‘This is finally it for them.’ Sort of, like Gareth said, ‘There’s no coming back from this.’ You also had their supporters equally saying, ‘This is just a small road bump.’ Obviously, the presumed status of not having an extradition treaty with wherever they may be situated, that’s always, kind of, fallen back on as, ‘They’ll never actually be able to reach us.’ So, even if this scheme goes up in smoke, he’ll just be able to pivot to a new one, was, sort of, the sentiment from his die-hard fans, I guess. 

(TC: 00:21:33) 

Dr Gareth Owenson: I mean, yes, Russia is never going to cooperate, and extradite him to the US for obvious reasons. I mean, what it does mean though is that he can never travel, right. He can never leave Russia now, or Russian affiliated countries, because he’ll be nabbed straight away for the rest of his life. So, there’s good reason to think at some point he will slip up, or think the pressure’s off, and make himself available to law enforcement without realizing, and actually get nabbed. 

(TC: 00:22:00) 

Aidan Murphy: Yes, that leads us on quite nicely to the second element of what I think of as the second element of Operation Cronos, which really took place last week as we were recording. So, we’re recording today on the 14th. Almost exactly this time last week, actually on the 7th, the Tuesday, the LockBit page was updated again, and we learned more about the ransomware group. I don’t know if, Gareth, maybe I’ll lean on you again, to describe what happened in Operation Cronos last week. 

(TC: 00:22:30) 

Dr Gareth Owenson: Yes, so on the Sunday evening at 8:00pm British time the LockBit leak site reappeared again in the same style, and design as the original LockBit Blog with these tiles, but a fresh set of tiles from the original law enforcement operation, but still with the same banners, law enforcement partners, and what have you. First one being a press release, second one being a reappearance of this, ‘Who is LockBitSupp?’ tile with the 10 million-dollar question from the previous one, where previously, his name wasn’t revealed. And then a bunch more tiles revealing, you know, more information about their infrastructure, the flow of money, some of the things which had gone on. And then with a countdown for all of these tiles for Tuesday afternoon, British time. And then Tuesday afternoon British time, all of the tiles turned green which meant you could click on them and see the results. Of course, everyone immediately went to tile number 2 to see who is LockBitSupp. And they were greeted with two photos of him, which, to answer you, they look like they may have been taken by him or his friends rather than by the FBI or the NCA, detailing his name and where he is, and basically offering a reward for more information about him. The guy, predictably based in Russia, as probably many people expected, and is often the case with ransomware groups, but a huge amount of detail about who the guy is and whereabouts he’s based. And since then, people have taken information from that page and de-anonymized him even further, got his mobile phone numbers, pictures from his time in the army, names of his business, and all of that sort of stuff as well. 

And then on the other tiles, they had more information that appears to have been leaked from our service since the first operation, kind of suggesting that they’ve still got access to his servers. They listed a whole bunch of new affiliates, for example, that had signed up since the February-based operations. And then some infographics detailing more information about the LockBit operation. One of the most pertinent ones in that was that, you know, LockBit had hacked a children’s hospital and demanded a ransom from them. At the time he had claimed that, obviously, due to the negative press reaction from hacking a kids’ hospital, he had claimed that they had provided the decryption key and the affiliate involved that had hacked that hospital had been removed from the group. The NCA and FBI and so on revealed, in fact, that was not the case, and the guy continued to be an affiliate of the group and continue to earn revenue from the group, and that LockBit didn’t assist in the decryption of the files, didn’t even help the hospital decrypt the files for the hospital. And we’ve seen, you know, other ransomware groups hack other hospitals over the years. Like, it often does cost lives. I went to a talk by a German hospital where one of the ransomware groups hacked that hospital and people actually died en route being moved from that hospital to another one because they couldn’t operate the machinery. You know, the x-ray machines and MRI machines and things like that in the hospital. So it does have very real consequences, those sorts of hacks. It’s not like the affiliates don’t know what they’re hacking, right? It’s not like they’re just hacking blind, they go, ‘Oh whoops, it’s a hospital.’ They know they’re targeting a hospital, right? 

(TC: 00:25:36) 

Aidan Murphy: Yes. Absolutely. So, yes, one of the main things we seem to have learned from this operation is that ransomware groups aren’t truthful, if anyone was going under that illusion. I think beyond that as well, I think I read that they found that lots of victim data that they’ve claimed to have been deleted, so also, they’re not deleted, which adds further credence to the idea that you shouldn’t pay ransomware groups because when they say they’re going to delete your data, they often don’t. And you have no guarantee that they will. 

(TC: 00:26:04) 

Dr Gareth Owenson: Yes, I mean, in addition to that, I mean, it wasn’t a huge surprise that they didn’t delete the data in response to receiving the ransomware payment. The thing that I was slightly surprised about was actually that they provide a decrypter when the organization pays, and actually, a lot of the time the decrypted just didn’t simply work and despite the protestations from the company LockBit just ignored them, despite having paid millions of pounds to get the decrypted in the first place. 

(TC: 00:26:28) 

Aidan Murphy: Shocking behavior for a ransomware group. 

(TC: 00:26:30) 

Dr Gareth Owenson: And you’d think criminals would be honorable, right? Who would have thought? 

(TC: 00:26:34) 

Aidan Murphy: So maybe not the most shocking finding. But yes, so Operation Cronos did name the person that they think are behind the alias that Louise mentioned, LockBitSupp. His name is Dmitry Khoroshev. 

(TC: 00:26:46) 

Dr Gareth Owenson: I’m glad you had a go at pronouncing it because I wasn’t going to. 

(TC: 00:26:50) 

Aidan Murphy: Yes, I noticed that you conveniently didn’t say his name. 31, as you say, Gareth, from Russia, and he was given a 26-count indictment in the US and they issued a reward for his arrest and conviction. 

(TC: 00:27:05) 

Dr Gareth Owenson: He’s upset enough people in the cybercriminal fraternity that now everyone knows who he is and where he lives, I think he’s going to have to go underground right now. 

(TC: 00:27:13) 

Louise Ferrett: I did want to mention the part in the indictment that states that he’d communicated with law enforcement and even offered services to them. It doesn’t specify what services. In return, for the law enforcement giving him the names of his rivals. I’m fairly certain that’s how you phrased it. So, now that his identity is out there, and that information of what he wanted to gain from law enforcement is out there, his rivals are probably going to be thinking the same thing. 

(TC: 00:27:53) 

Dr Gareth Owenson: So, from everything you both are telling me, it seems like this, we could call it a new approach from law enforcement of discrediting the individual behind the ransomware gang has proved very effective against LockBit. And I guess, now there is the possibility that this approach could be replicated. And again, do you think it is likely that we’ll see ransomware groups operating more cautiously, or being more careful or even stopping operation in response to the fear that they could be the next person on the kind of FBI or NCA hit list? 

(TC: 00:28:28) 

Louise Ferrett: If we look at the timeline, it was after phase one, shall we say, of Operation Cronos. Alfie, also known as BlackCat, I think we had them ranked as the second most prolific of the last year, if I’m not mistaken, Aiden. They were definitely in the top three. And they had recently launched a pretty big attack against, funnily enough, another healthcare organization, while we’re on that topic. It was like, a health insurance provider in the US, or maybe they ran hospitals. Change Healthcare, I’m pretty sure the name was. They received an anonymous ransomware payment from them. I can’t remember exactly. 

(TC: 00:29:12) 

Aidan Murphy: Alleged to be $22 million. 

(TC: 00:29:14) 

Louise Ferrett: Thank you very much, Aiden. Yes, $22 million. And shortly after that attack there started to be some complaints on one of the ransomware-focused forums on the dark web, from someone claiming to be an affiliate of BlackCat. And they claimed that they were the one responsible for gaining access and deploying ransomware on that healthcare company’s network, but they had not received their cut of the ransom payment. And they were also threatening that they still actually had access to the stolen data. So basically, the company had paid BlackCat when they weren’t actually in possession of the data. Sort of, the core admin wasn’t in possession of the data. And in response to these allegations, a representative for BlackCat, kind of, the core developer admin group, made quite a hasty statement, throwing out, kind of, excuses. 

(TC: 00:30:26) 

Aidan Murphy: They put up their own seizure notice on the leaked site, initially, I think. Claiming that they-, 

(TC: 00:30:32) 

Louise Ferrett: Yes, I forgot about that part. 

(TC: 00:30:34) 

Aidan Murphy: That they’d also been impacted by a law enforcement operation, to which the NCA, so that’s the National Crime Agency in the UK who were named on the seizure notice, that they had nothing to do with any action against BlackCat and we’re not responsible for their leak site going down. So again, quite an embarrassing situation for BlackCat. 

(TC: 00:30:57) 

Louise Ferrett: Yes, I think they said in the statement on the forum, ‘The FBI screwed us,’ or something along those lines. NCA never gets a lot of name recognition. It’s always the FBI. 

(TC: 00:31:10) 

Aidan Murphy: Yes, I noticed that in LockBit’s statement, as well. He directs a lot of hate towards the FBI, not the NCA. 

(TC: 00:31:15) 

Louise Ferrett: I think that’s just kind of the catch-all term for Western law enforcement in their eyes. 

(TC: 00:31:22) 

Aidan Murphy: There are more American movies so, you know, where they get all the credit.

(TC: 00:31:25) 

Louise Ferrett: Exactly. But yes, after that statement BlackCat did very hastily shut down operations. 

(TC: 00:31:33) 

Aidan Murphy: So, what you’re describing there is effectively my favorite, an exit scam. They took the money and ran, ripping up their own affiliate. It looks like that is the case, and since then, they haven’t been active. So, actually, you mentioned Gareth, that we could call this, did you say, a cy-ops operation? This is quite a major impact of that, then, if we do link the two. The fact that LockBit, who are one of the most prolific gangs, are severely disrupted and there has been evidence of them posing less victims. And BlackCat, the second most prolific gang of last year, they’ve taken themselves off the board. It seems that this is an incredibly effective method of law enforcement. 

(TC: 00:32:16) 

Dr Gareth Owenson: I mean, I think it’s early days, right? This is the first time we’ve seen an operation like this where they’ve really gone hard discrediting the actors behind the site. And so it obviously has much more impact being the first of its kind, and got lots of press attention and from the industry and what have you, and from other cybercriminals. I think it will be interesting to see how law enforcement proceed, whether this becomes a regular feature of how law enforcement engages with ransomware group actors, and whether repeated types of operations like this will have the same effect. But no doubt other law enforcement agencies will want to copy the approach the NCA have taken just for the kudos, just, it’s such a cool operation., But yes, they were the first. And I think it’s always more impactful and gets more press attention. We’ll just have to wait and see whether that continues to be effective in the longer term if other agencies decide to use that same approach. I think it’s yet to be proven. 

(TC: 00:33:14) 

Aidan Murphy: Yes, absolutely. I think we spoke about this in a previous episode, but it does seem, at least from the outside, that law enforcement, these kind of international collaborations between lots of agencies, and we should say that as well as the NCA and the FBI, there are a lot of agencies around the world involved in this operation as well. This kind of international collaboration between lots of agencies targeted at specific groups. And not just ransomware groups, but also dark web marketplaces and things. They seem to be increasing in frequency and increasing in scope, I guess, or effects. Would you agree with that, Gareth? Does that seem to be the case? 

(TC: 00:33:54) 

Dr Gareth Owenson: Yes, I mean, I think it speaks more to the maturity of law enforcement in the new world. You know, cybercrime’s always been international in nature. And so having a law enforcement agency who’s just focused on domestic matters, which, you know, all law enforcement agencies-, you know, the FBI is primarily focused on domestic matters, NCA is, etc. It just doesn’t really cut it when you’re doing these types of investigations because the suspects are international. They are based all over the place, as are their servers. And so it requires close cooperation between agencies. Now, you know, we’ve seen this evolve over the last few years where more and more agencies are cooperating. It used to be a small-ish group of, you know, FBI, NCA, and maybe the Germans, and occasionally Europol and occasionally the Swedes. Now, it’s a much larger group of law enforcement agencies. So, I think that really speaks to the fact that they’ve matured their processes, they’ve built relationships across agencies with the right people in those agencies. And they’re now able to respond in a much more robust way and a much more coordinated way across borders, you know, bearing in mind every law enforcement agency has got its own different laws, different constraints. Again, that’s all got to be coordinated internationally to do something, you know, coordinated like this kind of takedown. 

(TC: 00:35:15) 

Aidan Murphy: I’m going to ask you a difficult question, but would you say at the moment it’s become tougher for cybercriminals operating on the dark web, or harder than it has been before? 

(TC: 00:35:25) 

Dr Gareth Owenson: I think it is harder than it has ever been. We see lots of stuff being taken down from the dark web and large number of people being arrested, right? It’s difficult to know the reasons behind that and how law enforcement are being so successful. And presumably, people that are using the dark web are just not as savvy as they appear to be and keep making mistakes. 

(TC: 00:35:44) 

Aidan Murphy: And I guess, like you say, law enforcement are learning all the time as well. So, that has an impact. I guess I’d like to kind of finish off by looking at what comes next. So, you’ve both kind of given your opinion on what happens to LockBit next. Very difficult for them, probably not going to be arrested unless they leave, but things will be more difficult for them. Louise, do you have a sense on what happens next in the ransomware scene? Do we see basically just another LockBit emerge and become the next biggest gang? Or will this have any other kind of effect? Will we see, I guess, maybe smaller groups operating? 

(TC: 00:36:20) 

Louise Ferrett: I’m going to give kind of a politician’s answer where I don’t actually answer the question. 

(TC: 00:36:25) 

Aidan Murphy: We have no politician’s answers on this podcast. Okay, I’ll allow it. 

(TC: 00:36:30) 

Louise Ferrett: Just to kind of, yes, expand on what you were saying. It is going to be interesting to see where the ransomware as a service scene specifically goes from here. So, like we said, the kind of next-in-line for the throne, it’s like, number one most prolific ransomware gang abdicated, took themselves off the board, like I said. And that leaves multiple, probably like, four of five similarly-sized groups that are still very active. It’s hard to say whether one of them will kind of rise to fill that gap. Whether they’ll want to because obviously it puts such a large target on your back and I think ransomware operators are now starting to feel the heat that is more normally felt by dark web market or creators. Because obviously, there’s always been more of a risk of actually getting de-anonymized and arrested. But now, with this new threat that your identity will be found and publicized and your reputation will be completely discredited to the point where you are not even worried about law enforcement, but you’re worried about the fact that you won’t be able to make a living in this industry anymore, because that’s effectively what it’s seen as, for these guys. And then, you know, the extra, if you like, LockBitSupp, and you’ve had a habit of making enemies with your kind of industry peers, you’re going to be looking over your shoulder the whole time. So, whether groups will want to kind of expand to the same level sort of remains to be seen. 

(TC: 00:38:24) 

Aidan Murphy: That’s maybe a bit of a continuation of a trend that was already on its way though. I remember you mentioned to me last year, even, that some dark web forums were banning ransomware as a service as a topic because it was seen as too hot, and drew too much attention from law enforcement. 

(TC: 00:38:42) 

Louise Ferrett: Yes, that always kind of ebbed and flowed. Like with many rules on the dark web. It was kind of in name, but people would still talk about it. I suppose you’re right, it has been a sort of building trend of more fragmentation. Obviously, before LockBit, there was Conti, kind of, taking the top spot for ransomware as a service. After they disbanded, there were a lot of suspected offshoot gangs, some of which are still operating today. Whether we’ll see the same with, kind of, LockBit affiliates banding together and making their own groups. Yes, it’s hard to say. 

(TC: 00:39:33) 

Aidan Murphy: Something to keep an eye on. I know I’m putting you a little bit on the spot here, but you mentioned there are four or five big groups in the wings, so to speak. Are there any names that listeners should maybe be aware of? Any particularly big groups? So, we’ve obviously talked about LockBit, BlackCat, and Conti, but all of those are gone now. So, who should listeners, security professionals, or law enforcement be aware of as the next, maybe, in line?

(TC: 00:40:00) 

Louise Ferrett: Well, I’ve luckily come armed with statistics because I had a feeling that you would ask this question. And so some names that I’ve, sort of, got over the past three months as being the most active, and there’s no clear front-runner, which kind of speaks to the fact that there’s not a ready-made successor to LockBit. There’s Play, Snatch, Cactus, BlackBasta, which have been in the news recently as being particularly active and targeting a lot of critical infrastructure organizations which is obviously quite concerning. Hunters International, Medusa, 8Base. Obviously, these are all based on how active they are on the dark web as well. So, you’ve got to keep that in mind. There could be groups that don’t post at all, but are ten times more active. 

(TC: 00:41:02) 

Aidan Murphy: Yes, I think one thing that really stands out to me there is that there are quite a lot. And it’s worth saying for listeners, we track dozens of ransomware groups operating on the dark web. So, it’s not just that there are one or two big groups, there are still quite a few. Even with some of the biggest players diminished, there is definitely still quite a big problem to be solved. Gareth, I don’t know if you have any concluding thoughts on what you think, kind of, the last effects of this operation will be, whether there will be any change to ransomware or will ransomware continue? 

(TC: 00:41:35) 

Dr Gareth Owenson: I think we need slightly more drastic action to solve the ransomware problem. You know, all the time these groups are based in Russia, they can act with impunity, they’ve got implicit support from the Russian government, and so law enforcement operations are really only going to be limited to disrupting them. You know, we’ll see what the impact of this is, whether publicly outing these guys and embarrassing them drives them out of crime, but I suspect possibly not, in the longer term. You know, some of the things we’ve been talking about for a while, politically, have been things like banning ransomware payments and making it unlawful to pay a ransomware payment. I mean, we currently have that kind of rule in the UK where the British government won’t pay hostage-, you know, anyone that’s been held hostage, they won’t pay for hostages to be released because the government doesn’t want to have more people taken hostage to get the fees. And there’s been some discussion about doing something similar with the ransomware payments. You know, kind of the net effect of that is if we were to ban ransomware payments, it means that a number of companies are going to go under in the short term, where perhaps they could have otherwise been saved. But for the greater good, because once the cybercriminals realize that targeting British companies is no longer profitable, they’re not going to spend their time targeting British companies. You know, so it’s just whether that’s worth it. It seems to have fallen out of the public discussion sphere recently, whereas a few years ago, it seemed like it may actually make it into law, but I don’t really hear much about it nowadays. I do personally think that’s the only way which we’re going to really make this problem go away, is cutting off the money supply for them. And unfortunately, that means legislating that some businesses will go under for the greater good. 

(TC: 00:43:18) 

Aidan Murphy: Yes, well, I mean, as we’ve highlighted, and there’s the evidence from this operation, is that paying the ransomware anyway doesn’t seem to help many organizations, not even getting the decryption keys, let alone having the data deleted. 

(TC: 00:43:32) 

Dr Gareth Owenson: I mean, that may be part of the message, right? That law enforcement’s trying to push it out that actually, you’re going to pay this money but you’re going to waste it, and if they can reduce the amount of money that goes to ransomware groups and it becomes less profitable, then they may start to fade away. But I don’t personally think it’s-, the reality is if you’re a company who has been ransomwared, you’re in crisis mode, right? And you’re in survival mode, really, in many cases. And so paying, you know, a million quid to have your files decrypted versus the business disappearing, it’s kind of, when you do the math, it’s kind of worth the risk, right? That you don’t get the stuff at the end because you don’t have any other choice. You know, you’re being held to ransom, right? Personally think the government needs to take a more proactive approach and do a whole-scale ban, and that’s the only way we’re going to get out of this perpetual situation. 

(TC: 00:44:17) 

Aidan Murphy: Well, I think it’s fitting to end this episode, as this is an operation where government did-, and law enforcement did take a different approach, to end this episode on some fresh ideas. So, thank you Gareth, and thank you Louise for joining me to talk through Operation Cronos, I’m going to draw a line under this episode of The Dark Dive. If you can’t wait to listen to more, remember you can follow us for free on Apple Podcasts, Spotify, YouTube, or whatever podcast app you use. And you can get all episodes of The Dark Dive that we’ve previously recorded and new ones as they are released. The Dark Dive is created by Searchlight Cyber. You can find our social media accounts, and email address in the show notes. Please, do get in touch if you have any questions, if you’d like to hear us cover a specific topic, or if you’d just like to tell us you like the show, that’s also nice. Until next time, stay safe.

[Read more]

The Beacon Newsletter

Get news, insights & intelligence straight to your inbox

Threat Intelligence Report

More Groups, More Problems: Ransomware in 2023