Three Ransomware attacks and data breaches in the healthcare industry over the last few weeks have been noteworthy. We’ve discussed the first incident that involves the BlackCat Ransomware as a Service (RaaS). Now, let’s continue with the second:the return of LockBit 3.0.

Part 2: The End of LockBit? Not So Fast.

According to the Cybersecurity & Infrastructure Security Agency the LockBit Ransomware as a Service (RaaS) operation launched in late 2019 has been targeting high-profile organizations worldwide including critical infrastructure, healthcare, financial services, education, energy, food and agriculture government and emergency services, manufacturing, and transportation. Since the release of LockBit 1.0, LockBit has said to become the most prolific ransomware variants in the world and continued to be the most deployed ransomware in 2023.

The LockBit operation was run more like a business than a gang, with rules the affiliates had to follow otherwise they would be removed from the platform. One such incident was in December 2023 when an affiliate violated the rules and hacked The Hospital for Sick Children. The platform operator offered an apology along with the decryptor for free, while at the same time banning the affiliates from the platform.

In June 2022, LockBit 3.0 – also known as LockBit Black – was launched with increased encryption speed and anti-evasion techniques, making it harder to detect and block. LockBit 3.0 shares some similar features and capabilities with the BlackMatter and BlackCat (ALPHV) ransomware and added log deletion, emptying of the recycle bin, changes to the host system’s wallpaper and icons, and DDoS attacks to threaten triple extortion.

Around mid-February 2024, threat actors everywhere saw the coordinated takedown of LockBit which was announced by Europol and the U.S. Federal Bureau of Investigation (FBI). Law enforcement agencies from 10 countries worked together to disrupt the LockBit Ransomware operation run by a Russian threat actor known as LockBitSupp. The platform was initially breached by a PHP exploit on an outdated PHP server by the joint international effort known as “Operation Cronos”, seizing 34 servers along with more than 200 LockBit-affiliated crypto-wallets. The ransoms paid to the LockBit operation over the last three years totaled over $120 Million from more than 2,000 victims. Now with the site seized, including source code, details of victims, the amounts extorted, inter-chat logs, stolen data, and decryptors, many assumed that would be the death of the operation.

Not so fast. Within 5 days, the platform operator moved its data leak site to a new .onion address and announced LockBit was resuming operations along with a communication admitting “personal negligence and irresponsibility” led to law enforcement disrupting its operation. Activity after the law enforcement take down has diminished, but some affiliates are operating again. However, many in the cybercrime community appear to believe LockBit will shut down permanently due to a loss of trust.

With the new platform up and running, LockBit should still be considered a formidable threat.

To learn more about the technical aspects of the threat, read VMRay’s analysis on LockBit 3.0.

View VMRay Analysis Report