After U.S., U.K. and European law enforcement agencies announced Tuesday that they had
Polish and Ukrainian agencies have arrested two suspected LockBit actors, and French and U.S. authorities have issued three international arrest warrants and five indictments. In an operation led by the U.K. National Crime Agency (NCA), law enforcement seized control of, among other assets, LockBit's victim-shaming website where it posted stolen data, the ransomware source code and intelligence on the group's activities and affiliates.
In a similar case, the
Yet on Tuesday, the gang
While Alphv's reemergence is discouraging, hitting back at ransomware actors like it and LockBit is nonetheless a necessity, according to Adam Hickey, former deputy assistant attorney general of the Department of Justice's national security division.
"Disrupting cyber actors is like bailing water out of a leaky boat," Hickey said. "You're never done, and there's still water in the boat, but you'd be worse off without the pail."
This constant need to bail water stems from the underlying vulnerabilities that ransomware operators exploit, according to Boaz Gelbord, chief security officer of Akamai, a cloud services and security platform. As long as these vulnerabilities remain, cybercriminals like LockBit's members and affiliates will have financial incentives to resume under new groups and rebranded old groups, he said.
"This is not to say that there isn't significant value — both actual and deterrent — in takedowns, but it does explain why it generally only offers a temporary dent in the overall ransomware phenomena," Gelbord said.
Ransomware is a billion-dollar industry that is not going away, so the best most banks can do is focus on basic security hygiene because so many security incidents exploit the personal aspect of security, with threat actors exploiting individuals through phishing, stealing reused credentials or social engineering, according to Nick Hyatt, director of threat intelligence at Blackpoint Cyber.
The gang allegedly had been involved in some of the highest-profile ransomware attacks against financial institutions of recent years.
Ransomware groups often operate as a service business, offering affiliates their malware in exchange for a cut of the spoils — in LockBit's case, around 20%, according to a court filing released Tuesday by the FBI. This leads to competition for affiliates among the ransomware groups, so the disruption of LockBit creates a vacuum that other groups may look to fill, according to Matthew Corwin, managing director at investigations and security company Guidepost Solutions.
While it is unknown exactly how many people were affiliates or core team members of LockBit, the two arrests and five additional indictments likely only scratch the surface of the numbers of people involved.
Law enforcement faces many "jurisdictional obstacles" in trying to arrest these alleged criminals (for example, two indicted men are Russian nationals currently living in Russia), so disrupting cybercriminal infrastructure serves as a "potent countermeasure," according to Charles Nerko, lead of the data security litigation team at law firm Barclay Damon.
"Although not all involved will face justice, the impact of these arrests deals a direct blow to cybercriminals and disrupts their recruitment efforts," Nerko said.
Recent ransomware disruption operations indicate that law enforcement is making strides in the fight against cybercrime, according to some experts. One way in which these operations may be improving is collaboration; intelligence work and infiltrating groups like this can be difficult in part because the cybercriminal community is notoriously paranoid and untrusting, according to Blackpoint Cyber's Hyatt.
"The teamwork between nations here was great to see, and I think as operations like this succeed, we will see improvements in the capabilities of law enforcement to disrupt groups like this," Hyatt said.
The LockBit takedown has also brought back into focus a longstanding debate over whether victims should pay ransomware actors to delete stolen data or to keep it hidden. Law enforcement agencies including the FBI advise victim institutions not to pay ransoms because that incentivizes the booming business of ransomware.
A consortium of financial companies said premiums are rising despite a relatively low level of overall risk, causing some banks to reconsider their policies.
In the case of LockBit, the NCA said that, in the process of disrupting the group's operations, investigators found data belonging to LockBit victims who had paid the group ransoms.
"The fact that LockBit was found to have [that] data after being paid to delete it should surprise nobody and highlights the absurdity of paying in the belief that they will," said Brett Callow, a threat analyst at Emsisoft. "Hopefully, this will make organizations less inclined to part with their money."
Some experts push back on this point, though.
"Victims often pay to prevent the information from becoming public; I don't think they are under any illusion that the data is deleted," said Hickey, the former DOJ official. "Data never really disappears."
This point came into focus in September, when the assistant superintendent of a Texas school district that fell victim to ransomware described why her district decided to pay the perpetrators a ransom of more than $500,000. The district wanted to prevent the threat actor from releasing the personally identifiable information of 428,761 affected individuals, the assistant superintendent had testified before Congress.
According to experts, this is the same dilemma that nearly all companies that fall prey to ransomware face, and it points to a larger issue that individual companies cannot solve on their own.
"The cybersecurity community parrots the 'don't pay the ransom!' talking point, but there are no good alternatives," said Blackpoint Cyber's Hyatt. "Governments, the security industry, and the insurance industry need to make a concerted effort to work together to provide an alternate solution to paying the ransom."