Feature For roughly two years, LockBit's ransomware operation was by far the most prolific of its kind, until the fateful events of February. After claiming thousands of victims, extorting hundreds of millions of dollars, and building a robust army of sophisticated cybercriminals, the life's work of its mastermind, LockbitSupp - whom cops claim is Russian national Dmitry Khoroshev - is now hanging by a thread.

Despite Operation Cronos's failure to scupper the operation entirely, it may still go down as one of the most comprehensive ransomware takedowns of all time. Sure, the infrastructure may have been rebuilt and its blog is back online, but LockBit's reputation is in tatters.

Nearly half a year after law enforcement's disruption efforts, experts now say its best earners have fled for crews with better opportunities, better tech support, and, crucially, a reputation that isn't in the gutter. What's next for LockBit and its leader is anyone's guess.

Dragging out the drama

Led by the UK's National Crime Agency (NCA), Operation Cronos's efforts to bring down LockBit in the most public manner possible set a new standard that all other ransomware takedowns should copy going forward.

First came the LockBit leak week - five consecutive days each filled with new revelations about the ransomware machine after cops broke into its systems and rummaged around for intel. It was a novel approach that ensured the story dominated headlines throughout the week and beyond.

Then, as gang leader LockbitSupp was showing signs of crawling back, the cops finally made good on their tease during February's leak week to reveal their suspect, Khoroshev's, identity - previously such a closely guarded secret that the LockBit leader himself claimed he would cough up $1 million to anyone who discovered it.

LockBit continues to operate, albeit at a significantly reduced capacity. Its name no longer amounts to the same degree of peril as it once did, and that's shown in the numbers.

The numbers don't lie

Since February, LockBit has fallen down the ransomware leaderboards to the point where it's now not even compared with other operations.

Less than a year ago, the Lockbit crew was in its heyday. In November 2023 alone, LockBit claimed attacks on 108 different organizations. This fell to 82 in December - even ransomware skids celebrate Christmas - but this was still more than its closest rivals Play, ALPHV/BlackCat, and 8base could muster combined (79), per Cyfirma's data.

However, Operation Cronos's intervention had an immediate effect, bringing numbers down to 54 in March, 24 in April, and a bizarre 174 in May which experts believe to be mostly comprised of old reposted attacks.

"To me,  it was an attempt to demonstrate that Operation Cronos was not impactful to [gang leader LockbitSupp]," says Azim Khodjibaev, cyber threat researcher and senior intelligence analyst at Cisco Talos.

"It was as if to say 'see, I am still operating' but the audience wasn't media, law enforcement, or threat researchers. We know the truth behind the victims. This show of force was intended for new affiliates and those that may be on the fence about joining LockBit. Since most of them will not do the due diligence of verifying the victim claims, LockBit wanted to seem like he is operating."

A month later LockBit had fallen off the charts. Qilin claimed the fewest attacks in Cyfirma's June analysis, 18, so LockBit would have posted even fewer - an illustration of how far it has fallen.

While it might be a shadow of its former self, LockBit persists. Operation Cronos wasn't successful in destroying the operation altogether, which is something to be said about LockBit's resilience. It's not often ransomware crews feel the full force of a multi-agency takedown and carry on afterward.

So, yes, that's something. Well done, Dmitry.

However, while the brand lives on, it does so in tatters. As it's not the most technically sophisticated ransomware out there, the brand was all LockBit had.

Robert McArdle, director of Trend Micro's forward-looking threat research team, tells The Register: "The old model used to be a ransomware [group] got disrupted in some shape or form, and then they just restart, rebrand, start all over again, right?

"In the case of both of those, the thing that set them apart was actually not the technology they had, as in the ransomware component wasn't fantastic compared to others… but it was the brand itself. The brand was the only thing they had to protect.

"So in their case, coming back with LockBit and starting all over again as something new doesn't work, the brand is what you have."

Friends become foes

LockBit's ransomware still works, despite the score of decryption keys released by law enforcement agencies. Just taking into account the technology involved, nearly six months after the disruption of LockBit, there isn't much standing in the way of it regaining its former crown.

The mass exodus of affiliates, however, played a big role in its downfall. With quicker, more user-friendly, and generally better ransomware tech available to top affiliates, LockBit's brand was indeed the only factor keeping the best bad guys in LockBit's corner.

That brand reputation was shattered almost overnight and, along with it, perhaps along with LockbitSupp's hopes of ever playing another important role in the ransomware landscape again.

LockBit appeared to have 194 affiliates on its books, according to Operation Cronos, which found every single one after rummaging around the group's systems. Of those, 119 entered negotiations with victims, indicating they definitely carried out attacks, and 80 affiliates definitely received at least one ransom payment.

Now it's a significantly different story. In doxxing their LockbitSupp suspect Khoroshev in May, Operation Cronos also provided an update on the figures it released during LockBit Leak Week in February. Just 69 affiliates remain and experts suspect the only people taking LockBit seriously are low-level, wannabe cybercriminals who want a spot on LockBit's affiliate roster.

"Any discussions now about LockBit are what we would kind of assess as lower-level threat actors who are seeking out LockBit to join because they obviously can't join some of the larger groups," says Chris Boyton, adversary hunter at Trend Micro, referencing how discussions about LockBit on underground cybercrime forums have fallen off a cliff.

"A lot of these groups, though, we believe are closed groups where you're referred in as opposed to before where you'd see forum post advertising spots."

Prior to LockBitSupp's ban from the XSS and Exploit cybercrime forums at the turn of the new year, LockBit's brand reputation was at its height, but this was largely because the leader was the main catalyst behind the numerous discussion threads. His ban led to a sharp decline in publicity, and when Operation Cronos struck around a month later, LockBit's standing plummeted to an all-time low.

These events, in tandem, drove the army of affiliates out the door and into the welcoming arms of other RaaS groups such as RansomHub, which by that time had been scooping up ALPHV/BlackCat's talent, and Akira, which is now being dubbed the next big thing in ransomware.

Experts say that LockBit's brand was the only thing keeping affiliates on its side. The name "LockBit" alone carried a certain gravitas for years, synonymous with the worst consequences of ransomware. But when that brand was dead and buried, affiliates realized that the tools of other RaaS programs were better and suddenly had nothing keeping them from embracing the next generation of kit.

"In general, actually, it was one of the things some of the LockBit affiliates were complaining about is that LockBit hadn't really kept up with the times in terms of some of the developments, technically, what the affiliates were expecting and seeing other ransomwares offering," says McArdle.

"So, things like faster encryption times, and just better user interfaces and tools for managing the negotiations with victims - those things that some of the new rivals of LockBit came up with because obviously they had to differentiate themselves and say 'look, we have a better product,' right?

"And LockBit seemed to be missing its core development team, or they never seemed to be able to develop up to that point. We saw them starting to do that around the time of the first disruption, we actually we published a blog on it, that they were working on a new version, but they never quite got to that stage."

Where next for LockBit?

When it comes to ransomware takedowns, the usual blueprint is that they're based in Russia, so won't be arrested unless they're stupid enough to enter a country with an extradition agreement with the West. If no arrests are made, they're essentially free to lay low for a little while and come back under a new guise.

Conti split up into Royal, Black Suit, and Akira; Vice Society became Rhysida; Phobos became 8Base; ALPHV/BlackCat was a Darkside rebrand. The list goes on. It's a tired but reliable format.

However, for LockBitSupp's leader to carry on the LockBit brand post-takedown is unusual - it's new ground being trodden, which means confidently predicting a long-term outcome is difficult.

Khodjibaev thinks that because LockBit was so intertwined with LockBit leader's personal identity, it's only a matter of time before a rebrand takes place.

"LockBit stood out as someone who invested their entire energy and resources into their brand. If you recall, [LockBitSupp] was known to dispute and argue about his program and to defend his brand constantly. This tells me that the entire brand is tied to his personal identity, which influences the decision about continuing with the brand.

"He probably will rebrand, but going back to the personal identity part, it is obvious that this criminal enterprise is very important to Khoroshev. It is his 'baby' and without question the most lucrative project he's ever created."

Despite having more than enough money to sit back and live a life of leisure forever more, it seems as though LockBit was more than a cash cow for LockBitSupp. It may have started as one, but like Messi, Gates, and Tarantino, the ransom gang leader became a titan of his industry and to relinquish that status surely won't be an easy thing.

There is, of course, the possibility that LockBit's leader may never pursue ransomware again and instead opt for something completely different, or at least adjacent. If money isn't an object anymore, and it shouldn't be given it raked in more than $120 million worth of ransom payments over the years, perhaps he will look to conquer another field.

"His reputation was a big deal for this person. They wanted to be seen as one of the kingpins, if you like, of the cybercrime world," says McArdle. "So, I think they will tip along with LockBit just to keep it in people's minds that this thing still exists until they come up with a new business model - maybe not ransomware, it could be something else entirely - and then essentially relaunch the whole brand.

"So, that's why I think they're doing, they're just keeping the brand awareness going until they have time to launch whatever their new business venture is."

Whatever comes next for him, it will have to be launched from inside Russia. As for suspect Khoroshev, the career criminal faces a 26-count indictment from the US - a country that would absolutely love to see him rot in a prison cell for the rest of his life, which the maximum 185-year sentence attached to that indictment would promise if in all unlikelihood it was granted.

Don't count on him being caught, though. The gravity of the charges would keep any sane person from putting themselves in a position where they could face those.

Sitting on a nine-figure pile of cash, most people would take that money and run. Start a family, perhaps, and sit around the dinner table reminiscing over all the people you robbed, extorted, and hurt to pay for the meal in front of them.

There also remains the possibility that the Kremlin could tap him as they have with other groups like REvil in the past, trading their protection for state-sponsored work, in whatever form that may take.

Behind the scenes, the NCA - which led Operation Cronos - couldn't find the time to discuss the previous few months with us, but we're fascinated to hear the next update from law enforcement's work on the case, if one is even in the works.

What's certain, though, is that carrying on the LockBit brand post-disruption is uncharted territory, so whatever LockBitSupp does next will be something to keep an eye on. ®

https://www.theregister.com//2024/07/31/five_months_after_lockbit/