LockBit ransomware gang persists despite law enforcement crackdowns

After a disruption in February, LockBit roared back in May, highlighting persistent cyber threats to the financial sector.

When law enforcement agencies said they had shut down the notorious LockBit hacker group earlier this year, it looked like good news for the financial institutions that were frequent targets of the gang's ransomware attacks. But recent developments suggest LockBit members have regrouped and are on the attack again, just as some cybersecurity experts warned they would.  

In the time since the FBI, U.K. and European law enforcement agencies disrupted LockBit in February, there has been some encouraging news for victims and potential targets of LockBit. Last week, Dutch and Ukrainian law enforcement identified a Kyiv resident who worked with LockBit and other ransomware groups. The same day, the FBI announced it had acquired more than 7,000 decryption keys that can help victims of LockBit ransomware reclaim their data.

Despite the progress, LockBit has shown some signs of life. On May 8, the day after the FBI publicly identified LockBit's leader as Russian national Dmitry Khoroshev, the gang claimed responsibility for a breach against the city of Wichita, Kansas. On May 23, the group published data it claims it stole from London Drugs, a Canadian pharmacy chain. So far in June, the group has claimed responsibility for 12 separate ransomware attacks, according to the group's victim-shaming blog.

The group "surged in prevalence after a short hiatus," according to a report released Monday by Check Point Software, an American-Israeli provider of security software. LockBit accounted for roughly one third of the attacks publicly claimed by ransomware groups tracked by Check Point.

"While law enforcement bodies managed to temporarily disrupt the LockBit cybergang by exposing one of its leaders and affiliates in addition to releasing over 7,000 LockBit decryption keys, it is still not enough for a complete takedown of the threat," the report reads. "It is not surprising to see them regroup and deploy new tactics to continue in their pursuits."

LockBit is only one of several ransomware gangs banks need to worry about. In a report released in March by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the cybersecurity consortium for financial companies specifically named a number of threats that have recently menaced the sector, including Alphv, Qakbot and TA569.

The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.

March 4
Chaos Computer Club Annual Congress

Alphv, also known as BlackCat, is a ransomware group that in 2023 attacked financial software firm MeridianLink, casino and resort groups MGM Resorts and Caesars Entertainment, point of sale manufacturer NCR and ATM provider QSI. Last year, Alphv was the second most prolific ransomware group, behind only LockBit, according to cybersecurity firm Cyberint.

Qakbot is botnet malware that threat actors initially designed to target banking applications specifically, but the Trojan has evolved, and threat actors can now use the malware to target systems in other sectors, according to FS-ISAC. The malware is notable because the FBI announced in August that it had disrupted Qakbot, but cybersecurity experts found evidence that the threat actor behind it began distributing a new kind of ransomware around the same time.

TA569 is an initial access broker that sells access to networks compromised by SocGholish, a type of malware that masquerades as software updates (hence its alternative name FakeUpdates). TA569 compromises vulnerable websites to display fake messages that the user's browser needs to be updated, a tactic FS-ISAC says other groups have copied.

SocGholish and Qakbot were two of the top five malware families reported by FS-ISAC members in 2023. The other three were Agent TeslaAsyncRAT and NetSupport RAT. Each of these three malware families is a type of remote access Trojan), which enables the attacker to monitor or control the infected system and disguise themselves as legitimate software.

For reprint and licensing requests for this article, click here.
Cyber security Technology
MORE FROM AMERICAN BANKER