A due foreword on Ransomware as a Service: the ever-evolving threat
Ransomware is a type of malware that encrypts victims’ data and demands a ransom in exchange for de-encryption. In recent years, ransomware has become an increasingly prevalent threat to businesses and private citizens.
The RaaS (Ransomware as a Service) model has contributed to the growth of ransomware. In this model, criminals develop ransomware and rent it to other criminals, who use it to attack their victims. This model makes ransomware more accessible to a wide range of criminals, even those with little computer skills. Its distinguishing features are:
- Development and maintenance: the RaaS group develops and maintains ransomware.
- Renting: ransomware is rented to other criminals, so-called affiliates.
- Attacks: affiliates use ransomware to attack their victims.
- Ransom: ransom is paid to victims and then divided between the RaaS group and affiliates.
Benefits of the RaaS model for criminals:
- Low risk: criminals do not have to develop ransomware from scratch.
- Wide reach: ransomware can be used by a wide range of criminals.
- Anonymity: RaaS group and affiliates can remain anonymous.
Disadvantages of the RaaS model for victims:
- Greater harms: the RaaS model can lead to greater harms to victims as ransom is divided among multiple criminals.
- Difficulties in negotiation: it can be difficult to negotiate with the RaaS group, as it is not always clear who is responsible for the ransom.
LockBit: a case in point
LockBit is one of the most active and prolific RaaS groups in the world. The group has targeted a wide range of victims, including businesses, government agencies, health care facilities and private citizens. This is because of its characteristics:
- Sophisticated ransomware: LockBit ransomware is sophisticated and difficult to de-encrypt.
- Double extortion: LockBit threatens to publish victims’ data if ransom is not paid.
- Aggressive affiliate program: LockBit has an aggressive affiliate program that has led to a rapid increase in the number of attacks.
LockBit has had a significant impact globally. The group caused damages estimated in the billions of dollars to its victims. Law enforcement agencies around the world are working together to counter LockBit. In 2023, Operation Cronos led to the seizure of LockBit’s infrastructure and the arrest of several members of the group.
Operation Cronos: an unprecedented international action
Law enforcement agencies around the world have dealt a major blow to the LockBit ransomware group in a joint operation dubbed “Operation Cronos.” Coordinated by the UK’s National Crime Agency (NCA), the operation led to the seizure of servers and infrastructure used by the group, the arrest of several members, and the recovery of encrypted data for victims.
Cronos involved law enforcement agencies from 10 countries, including the United States, the United Kingdom, France, Germany and Australia. The operation had three main objectives:
- Dismantling LockBit’s infrastructure: law enforcement seized servers and infrastructure used by the group, preventing it from continuing to operate at full potential.
- Arresting LockBit members: several people associated with the group have been arrested and will stand trial.
- Recovering victims’ data: law enforcement agencies are working to recover data encrypted by LockBit and have already released some useful tools for recovery.
Operation Cronos is a significant success in the fight against cybercrime. In fact, it demonstrated the ability of law enforcement agencies to collaborate internationally to counter ransomware groups and, in addition, sent a strong message to cybercriminals that their activities will not be tolerated.
This is an important step toward a safer future for all. However, the threat of ransomware remains high, and it is critical that businesses and individuals take appropriate measures to protect themselves.
Cyberoo IR team’s observations
Cyberoo’s Incident Response Team analyzed Operation Cronos, which led to the dismantling of the LockBit ransomware group. We report below conclusions and considerations on future developments in the ransomware landscape.
IRT over the past 2 years has worked on numerous ransomware cases, mainly involving LockBit and its affiliates. The dismantling of LockBit represents a significant success in the fight against cybercrime. Operation Cronos demonstrated the ability of law enforcement agencies to collaborate internationally to counter ransomware groups. In addition, the operation sent a strong message to cybercriminals that their activities will not be tolerated.
Possible future developments:
- Migration of affiliates:
Some affiliates of LockBit are likely to move to other ransomware groups. This could lead to increased activity by other groups.
- Birth of new groups:
Looking back, the dismantling of other ransomware groups has led to the emergence of new ones. It is therefore possible that new ransomware groups will emerge to fill the gap left by LockBit.
- Evolution of ransomware:
The dismantling of LockBit could prompt cybercriminals to develop new ransomware techniques to evade law enforcement.
- Increased attention to cybersecurity:
Operation Cronos could lead to increased awareness of ransomware risk and increased attention to cybersecurity by companies and private citizens.
Final considerations
The dismantling of LockBit is a great achievement, but it does not represent the end of ransomware. It is critical that businesses and individuals continue to take appropriate measures to protect themselves from this ever-evolving threat. According to IRT’s predictions, there may be a downturn in ransomware attacks during the coming months, considering that affiliates will have to “move on” and adapt to other criminal groups, not to mention that some may even stop for a long time.
From mid-year onward, there will most likely be an increase in attacks that could bring the trend back to all-time highs.
LockBit will go down in history as the most notorious and organized criminal group in the ransomware ecosystem.
Cyberoo will continue to monitor the evolving ransomware landscape and provide security updates and advice to its customers.