The Lockbit Ransomware Group Disruption: Now What?

By now it’s old news that the LockBit Ransomware as a Service (RaaS) company has been “disrupted” by law enforcement, there have been several good articles detailing the specifics. Servers have been seized (though maybe not all of them), two people have been arrested and indictments have been unsealed for others. A new decryption tool has even been released, which may provide relief for at least some of the victims. LockBit was well known to be the largest and most sophisticated of the RaaS operators, covering, by some estimates, about 25% of the marketplace; if Gartner was doing RaaS ratings, LockBit would likely be in the magic quadrant. So all of this is definitely great news… but what does it mean? Are we going to see a 25% drop in ransomware attacks in 2024? It seems unlikely.

The Ransomware Market Remains

You might have noticed that I leaned into some business terms in my opening paragraph. I used that wording because despite the illegal and immoral nature of this activity it is ultimately a business. Most of the companies that have been “hit by LockBit ransomware” were not targeted by LockBit themselves, they were targeted by an “affiliate”. The affiliates are LockBit’s customers, and the people who are the impetus behind most of the attacks. Just like in any other business landscape, legal or illegal, where there is a customer to be had and money to be made, a business will be happy to fill the gap. So to me, the real question is not about LockBit and how this changes things for them and their victims, it’s how this changes the affiliate landscape.

For the past few years, it’s been possible for someone with no scruples and a penchant for long stays in a small locked room to take on a high risk, high reward business venture: They could buy access to a company through an initial access broker (or, slightly more daring, directly from an employee), then sign up for RaaS, deploy, and wait for either the bitcoin to roll in or law enforcement to show up. While the movies have made a good show of the evil hacker with a vendetta against a company or person, the truth is ransomware is almost always a financially motivated attack, and generally an attack of opportunity. Targets are whatever look likely to provide the best risk/reward ratio, again: a business. So, ultimately, what happens when a major player in a business sector disappears?

History tells us that the business sector does just fine. Other companies step up to fill the gap, often more than one as they scramble to fill the void. While this might disrupt the least sophisticated of the affiliates, people that needed LockBit’s advanced software and services to be able to navigate the ransomware space, other companies will move to improve the customer experience for their own products in a bid to win those customers. And the founders and key members of LockBit weren’t the ones arrested, so while they’ll probably take some time to rebuild, it’s unlikely that we’ve seen the end of them. So if this is at best a speedbump and at worst an impetus for growth in the RaaS space, what are we to do?

Lasting Change Depends Upon Us

Ultimately the solution is to change the risk/reward equation. We need to make these attacks difficult and risky enough that they’re no longer worth the effort. We need to change the landscape such that a company like LockBit can no longer find a market for its services. It’s up to us, as information technology and security professionals, to continue to work together to improve not only the security of our software and infrastructure, but also our detection and response when attackers do strike. Only by working every angle will we be able to stay ahead of the criminal enterprises of the RaaS operators and their customers. There are several concrete steps that an organization can take right now to improve security posture and operational readiness.

1. Strong patch management discipline, backed up with a vulnerability management program. Any time an organization adopts a technology it needs to come with a plan to maintain the systems in a timely manner.

2. Configuration management, also backed up with a vulnerability management program. The Center for Internet Security (CIS) provides excellent benchmarks to get started.

3. A strong, tested backup strategy. Backups of all critical systems and data should be maintained, and regularly tested to ensure recoverability.

4. Minimize exposure through network design. Administrative tools and interfaces should not be exposed to the internet, or even to the normal user population unless strictly necessary.

5. Enforce strong authentication controls. This includes long passwords (12+ characters) and multi-factor authentication (MFA) on any external interfaces or privileged systems.

6. Deploy and monitor advanced security solutions, including endpoint protection and email protection. Alerts from these systems must be constantly monitored and quickly addressed.

7. Prepare a detailed incident response plan and then practice it to identify gaps. Table top exercises of this plan should include technical steps for response and recovery as well as the steps taken by legal, human resources, communication, and any other team that may be involved.

8. Be aware of the threat landscape. Tools like CISA’s Cyber Threats and Advisories can be invaluable in keeping abreast of new vulnerabilities and threats. Be aware of your key technologies, especially those that are internet facing, and ensure you are informed of any security vulnerabilities that impact your infrastructure.

While this is a short list of “greatest hits”, tools like the 18 CIS Critical Security Controls and the NIST Cybersecurity Framework provide comprehensive guidance on virtually every aspect of a cybersecurity program. They can give any organization the tools to move the needle on their security posture.