Site icon Secplicity – Security Simplified

Operation Cronos: A Breakdown of the LockBit Disruption

Ryan Estes

Check out LockBit 3.0 on our new Ransomware Tracker Beta!

Hear more about Operation Cronos on The 443 Podcast.

If you’ve followed the ransomware space for the past few years, it’s very likely you’ve heard of LockBit. If you don’t follow the cybersecurity landscape, there’s still a good chance you’ve heard of them or at least their operations. The group’s affiliates have been in headline after headline after headline after headline. In the past few months alone, affiliates have breached ICBC, exfiltrated data from Boeing, and demanded the third largest ransom ever – $80 million – from CDW. To say they’ve been a thorn in the side of organizations and researchers is an understatement.

LockBit is more known for the number of breaches as opposed to the big-named breaches over the past several years. Since their inception in June 2022, they’ve accumulated around 1,500 victims posted to their dark web data leak site. However, the LockBit operation began as ABCD ransomware all the way back in mid-to-late 2019. They’ve evolved to become LockBit, then LockBit 2.0, and now, LockBit 3.0. Throughout the group’s entire operation, they’ve accumulated a few thousand victims posted to their data leak sites. This doesn’t include the numerous amounts of other victims who weren’t posted and likely paid the ransom.

In WatchGuard’s soon-to-be-released 2023 Q4 Internet Security Report (ISR), we include summation infographics of just how problematic LockBit’s operation has been:

On Monday, February 19, 2024, law enforcement, headed by the National Crime Agency in the U.K., disrupted the group’s operations, putting a temporary hiatus on LockBit 3.0. They dubbed this “Operation Cronos.” It adds to an ever-increasingly list of law enforcement takedowns and disruptions of ransomware gangs. Recently, law enforcement seized the RagnarLocker operation and arrested the alleged main perpetrator of that group. At the beginning of 2023, law enforcement announced the dismantling of the Hive ransomware infrastructure. However, according to researchers, that takedown came without subsequent arrests, and that group rebranded and reemerged as Hunters International. There are several other instances, but now, law enforcement can add LockBit to their list. Unfortunately, the group quickly regrouped and reemerged with the same data leak site, but with the data refreshed and with a fresh new set of TOR domains. This disruption was just that, a disruption in the group’s operations, but not a complete dismantling.

The purpose of this post is to serve as documentation of Operation Cronos and briefly discuss each aspect of the disruption. Here is what Operation Cronos resulted in…

On February 19, if someone were to navigate to one of LockBit’s data leak sites, it would show the following splash screen:

After a few seconds, the webpage redirects to the traditional-looking LockBit victim’s screen. Although, this time, there’s a catch. What are usually victim entries are now various entries for law enforcement to explain to the public what they uncovered. In other words, law enforcement took over the data leak site and used it to shame the LockBit group by using their infrastructure to explain the operation. This is a noticeable shift in demeanor from law enforcement compared to previous takedowns, which will continue throughout this post, as you will see. They even created timers and released data as they reached zero, similar to how the group will release ill-gotten data from victim organizations. Here is what viewers would see after redirection from the splash screen:

This post will provide insight into each of the placards above and serve as a de facto repository for Operation Cronos as it closed on Saturday, February 24 at 4PM PST.

Table of Contents

Press Releases

The first placard is of the press releases created and distributed by the NCA of the UK, the United States Justice Department, and Europol.

Placard

Detailed View

Contents

Press Release

This site is now under the control of The National Crime Agency of the U.K., working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’. Please use the links below to access the press releases and story related to this operation

LB Backend Leaks

The second placard provides valuable insight into the administrative backend of the LockBit operation. If you want to see what the LockBit administrators would see when they login to the data leak site, then this is the right place to look. Law enforcement posted a trio of media galleries showing the group’s operations, including pictures of the administrative pages and the source code. Each picture is briefly described below:

Admin Panel

Blog

Core

Placard

Detailed View

Contents

Lockbit Backend Leaks

Admin Panel

VM2_CORE_ADMIN_1
VM2_CORE_ADMIN_2
VM2_CORE_ADMIN_3
VM2_CORE_ADMIN_4
VM2_CORE_ADMIN_5
VM2_CORE_ADMIN_6
VM2_CORE_ADMIN_7
VM2_CORE_ADMIN_8

Blog

oh dear
doesnt_look_good

Core

oh_no
this_is_really_bad

Lockbitsupp

Lockbitsupp is the face of the group on forums. This user has been responsible for responding to researchers and the media on two popular forums – exploit.in and xss.is. A few weeks prior to Operation Cronos, Lockbitsupp was banned from both of these forums as they were deemed to be untrustworthy. Law enforcement made a dig at Lockbitsupp by making this Lockbitsupp entry with the three strikes baseball analogy. The post shows that Lockbitsupp has been banned from those two forums and their own data leak site.

Placard

Detailed View

Contents

N/A

Who is LockbitSupp?

This was the last entry law enforcement published, based on the timers they set. Everyone was in anticipation that the LockBit admin’s identity was set to be exposed. However, unfortunately, the post only gave a few hints and that law enforcement know who he is and are in contact with him. Considering this takedown didn’t dismantle the operation, and it has continued, this should be taken with a grain of salt. Time will tell here.

Placard

Detailed View

Contents

Who is LockbitSupp?
 
LockbitSupp has claimed to live in the United States… he doesn’t
LockbitSupp has claimed to live in the Netherlands… he doesn’t
LockbitSupp has claimed to have a Lamborghini… he drives a Mercedes (though parts may be hard to source)
We know who he is.
We know where he lives.
We know how much he is worth.
 
LockbitSupp has engaged with Law Enforcement 🙂

Lockbit Decryption Keys

This entry is for victims of LockBit who may now, or in the future, need a LockBit decryptor key, law enforcement may be able to help with a decryptor. They plead for those individuals to contact law enforcement. IC3 even created a specific subdomain for LockBit victims, but they provide information for those in the UK or elsewhere.

Placard

Detailed View

Contents

Decrypt LockBit

As part of this operation, having obtained unique access to key infrastructure belonging to Lockbit, the NCA, and our partners, have a great deal of intelligence related to Lockbit source code and activity. As part of our engagement response, please click the links below, based on where you are located, and we will seek to support the decryption of your data if you suffered an attack by this group. You may recover important files!

When making contact, please provide the following information to assist us in supporting you:

Links:

If UK based, please email the NCA at – lockbit@nca.gov.uk
If US based, click here.
If based anywhere else in the world, click here: Decryption Tools | The No More Ransom Project

Rewards for Reporting

The United States Department of State, Department of Justice, and FBI, are offering “a reward of up to $10 million for information leading to the identification or location of any individual(s) who hold a leadership position in the LockBit ransomware variant transnational organized crime group and a reward offer of up to $5 million for information leading to the arrest and/or conviction of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.” This placard provides information on these rewards.

Placard

Detailed View

Contents

Narcotics and Transnational Organized Crime Rewards Programs Owners/Operators/Affiliates of the LockBit Ransomware as a Service

The U.S. Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold a leadership position in the LockBit ransomware variant transnational organized crime group.  In addition, a reward offer of up to $5,000,000 is offered for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in LockBit ransomware activities.

Links:

U.S. Indictments

Information on the unsealed indictment from the Department of Justice charging two Russian nationals for using LockBit against organizations. This entry also provides information on the dedicated IC3 website for LockBit victims.

Placard

Detailed View

Contents

Today – Ivan Kondratyev (Bassterlord) & Artur Sungatov

The Justice Department today unsealed an indictment charging Russian nationals Artur Sungatov and Ivan Kondratyev, a/k/a “Bassterlord,” with using the LockBit ransomware variant. Previous charges against Lockbit actors, linked to this operation, include:

U.S. victims and non-U.S. victims who wish to participate in the U.S. LockBit prosecutions (e.g., to submit a victim-impact statement or to claim restitution): https://lockbitvictims.ic3.gov

Links:

Sanctions

Along with indictments, the OFAC imposed sanctions on the same two Russian nationals – Ivan Kondratyev and Artur Sungatov.

Placard

Detailed View

Contents

U.S. Sanctions

The cyber-related sanctions program implemented by the Office of Foreign Assets Control (OFAC) imposes sanctions on threat actors responsible for malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States. The following malicious cyber actors have been sanctioned for their involvement in LockBit Ransomware.

Links:

FR Arrest Warrants

In France, the Paris Judicial Court issued two new arrest warrants, both issued on February 20, 2024:

Placard

Detailed View

Contents

FR arrest warrants

The instructive judges of the Paris Judicial Court have issued three arrest warrants against three members of the cybercrime network Lockbit. Two Russian nationals and one Polish national have been charged.

(Because of the French legal framework relating to the secrecy of investigations, no element of identification can be made public at this stage)

Arrest in Poland

The arrest mentioned here is the same one mentioned in the French arrest warrants above. This individual helped laundered money for the LockBit group.

Placard

Detailed View

Contents

Suspect arrested in Poland

In a meticulously coordinated effort that is emblematic of international cooperation, the Field Branch in Krakow Central Cybercrime Bureau executed a targeted operation at the request of French judicial authorities to apprehend a suspect involved in the world’s most active ransomware operation to date. Joint intelligence gathering across borders facilitated the precise identification of an individual who is believed to have laundered a significant portion of the profits generated by the LockBit group. Through strategic planning and real-time information sharing between agencies via Europol’s Virtual Command Post (VCP) and on-the-ground support, authorities acted quickly to capture the suspect, ensuring that no stone was left unturned in the pursuit of justice. Despite the relatively short period of time, after only a year and a half since the unit’s inception, Central Cybercrime Bureau officers are equal partners in combating serious international cybercrime. This groundbreaking operation is a testament to the power of global cooperation and upholding the rule of law in an increasingly interconnected world.

Links:

Activity in Ukraine

Ukrainian authorities also apprehended a father and son duo who were affiliates of LockBit.

Placard

Detailed View

Contents

Suspect arrested in Ukraine

Ukrainian authorities persevered through the challenges of a war-torn environment. Their collaborative effort led to the successful apprehension of suspects in Ukraine, showcasing their resilience and commitment to upholding the rule of law amidst adversity.

Despite the formidable constraints posed by the ongoing Russian war of aggression against Ukraine, local authorities persisted in their pursuit of justice, navigating through the complexities and challenges inherent in such a volatile environment, especially in relation to temporarily occupied territories in Eastern Ukraine. Amidst heightened tensions and logistical hurdles, the investigation encountered numerous obstacles that threatened to impede progress. However, through unwavering determination and resourcefulness, authorities pressed forward, adapting their strategies to circumvent the adversities presented by the conflict. The collaborative effort yielded tangible results, culminating in the successful house search and interview of suspects in Ukraine Ternopil on the request of the French judicial authorities. This achievement underscores the resilience and commitment of international law enforcement agencies to uphold the rule of law, even in the face of the most daunting circumstances.

Links:

Report Cyber Attacks!

This placard instructs readers on how to report cyber attacks to the proper authorities in twelve different countries representing the UK, US, and Europol.

Placard

Detailed View

Contents

Report Cyber Attacks

Reporting a cyber-attack to law enforcement is of paramount importance in the face of evolving cyber threats. Law enforcement agencies play a crucial role in investigating and combating cybercrime, and their involvement can contribute to a comprehensive understanding of the attack’s origin, methods, and potential offenders responsible. By reporting such incidents, victims not only assist in their own recovery but also contribute valuable data to collective efforts in preventing future attacks. Collaboration with law enforcement agencies helps build a broader awareness of emerging threats, facilitates the sharing of threat intelligence, and enhances the overall cybersecurity landscape. Timely and accurate reporting empowers authorities to take necessary actions, potentially leading to the apprehension of cybercriminals and the disruption of criminal networks, thereby safeguarding both individual victims and the broader digital community.

https://www.gov.uk/report-cyber
https://lockbitvictims.ic3.gov
https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
https://www.cybermalveillance.gouv.fr/diagnostic/accueil
https://www.polizei.de/Polizei/DE/Einrichtungen/ZAC/zac_node.html
https://www.poliisi.fi
https://www.ncsc.admin.ch/ncsc/en/home.html
https://www.rcmp-grc.gc.ca/en/have-been-a-victim-cybercrime
https://www.npa.go.jp/bureau/cyber/countermeasures/ransom.html
https://polisen.se/utsatt-for-brott/polisanmalan/
https://www.cyber.gov.au/report-and-recover/report
https://www.politie.nl/informatie/ik-ben-slachtoffer-van-ransomware.-wat-moet-ik-doen.html

Recovery Tool

The Japanese Police and Europol created a decryptor for the LockBit Black (LockBit 3.0) encryptor. As a quick refresher, LockBit has four known encryptors for affiliates to customize and use to encrypt files on a victim’s machine: LockBit RED, LockBit BLACK, LockBit GREEN, and LockBit Linux/ESXi. You can observe the view of the LockBit RED builder in LB Backend Leaks, picture VM2_Core_Admin_3.png. According to the details, Europol provided No More Ransom with decryptor tools.

Placard

Detailed View

Contents

Japanese LockBit Recovery Tool

The Japanese Police, supported by Europol, have developed a recovery tool, designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

In order for this recovery solution to work, you are required to run this binary file on your infected machine. This will run a first assessment on your machine.

In order to produce this tool, the Japanese Police has concentrated a great deal of technical expertise to reveal the structure of the encryption based on reverse engineering forensics for more than three months. This solution has been tested internally and important effort have been made to make it available during the joint operation CRONOS.

Supporting the technical efforts of the NPA, Europol provided experts to adapt this solution to the “NoMoreRansom” project. This website is available in 37 languages and now contains more than 120 solutions capable of decrypting 150+ different types of ransomware. So far, more than 6 million victims across the globe have benefited from this project.

Links:

Cyber Choices

This placard provides information on the Cyber Choices program that helps people use their cyber skills in a legal way. This is a program in the United Kingdom.

Placard

Detailed View

Contents

Don’t become and affiliate! – Cyber Choices

The Cyber Choices programme was created to help people make informed choices and to use their cyber skills in a legal way.

This is a U.K. national programme co-ordinated by the National Crime Agency and delivered by Cyber Choices teams within U.K. Regional Organised Crime Units and Local Police Force Cyber Teams.

The aims of the programme are:

Links:

Stealbit Down!

StealBit is a toolkit created by the LockBit operators that facilitates the exfiltration of data for affiliates. Affiliates can build this tool with one of the group’s builder software. The custom build allows affiliates to exfiltrate data to one of six upstream servers controlled by the LockBit operators. Since the toolkit was built to each affiliates specifications and identifier, the exfiltration of data is tracked by each campaign ID and referenced to each affiliate. A tracking system for data stealing campaigns, if you will. The NCA claims to have fully analyzed this malware and dismantled all six upstream servers. They also provide some useful infographics to understand how it works.

Placard

Detailed View

Contents

Stealbit Down!

The NCA have been examining Lockbit’s Stealbit tool for a number of months. The below report describes the importance of the tool to Lockbit’s platform and how it works. All Stealbit servers have been taken offline as part of this operation through the key work of the FBI, Europol and Law Enforcement partners in Finland and the Netherlands.

Analysis

Over the course of this collaborative operation, the NCA have obtained and analysed a great deal of information relating to Lockbit’s bespoke exfiltration tool, ‘Stealbit’. This tool is provided to Lockbit affiliates to facilitate the exfiltration of files from victim organisations and send the files to 1 of 6 upstream proxy servers. The NCA have located these proxy servers and, through the engagement of the FBI and Cronos Group, all 6 have been destroyed. The source code for the script which creates these upstream proxy servers has also been obtained and analysed. We are also in possession of all variants of the StealBit source code.

Stealbit is an example of Lockbit’ s attempt to offer a full ‘one stop shop’ service to its affiliates, encryption, exfiltration, negotiation, publishing.

In essence, we have fully analysed and understand how this malware and its associated infrastructure operates. We have located and destroyed the servers, and can locate them again should anyone be misguided enough to attempt it’s use.

Stealbit

Stealbit is an executable and it requires a password to run. Stealbit is designed to exfiltrated files from a company and send the files to 1 of 6 upstream proxy servers. All of these have been located.When Stealbit is executed on a computer, it is able to select files from a specific folder or from the whole computer.

The malware then sends the data using a ‘WebDAV header’, which contains a new file name (33 characters in length and begins with 0 or 1), the filepath, computer name and a unique identifier. The unique identifier is a ‘Campaign ID’ that links the targeted victim and the Threat Actor in Lockbit’s administration platform. These details are transferred along with the stolen data as it is exfiltrated, and this enables the affiliate who infected the company to be identified to Lockbit, and, ultimately, get paid. Through these campaign I.D.’s the link between the victim and affiliates can be established. Once executed, if Stealbit cannot connect to its hardcoded I.P. address to exfiltrate the stolen data, it will delete itself without any data being transferred.

There have been two methods observed on how affiliates utilise Stealbit. It appears from our observations that method one is the preferred way that data is sent to reach the blog site. By utilising, method two affiliates run the risk of burning Stealbit infrastructure through discovery by Incident Response companies.

Affiliate Infrastructure Down

This entry is a description of the servers taken down in the entry above. They talk about the coordination it took from various different law enforcement agencies and the avenues that allow this cooperation to occur.

Placard

Detailed View

Contents

Lockbit’s Affiliate Infrastructure Down

The taking down of these servers required a strong coordination between the U.S., Netherlands, Germany, Finland, France, Switzerland, Australia and the United Kingdom. The dismantling of Lockbit was made possible through seamless cross-border cooperation, leveraging worldwide Mutual Legal Assistance Treaty (MLAT) procedures and 24/7 preservation requests facilitated by the Budapest Convention. This collaborative effort transcended geographical boundaries, as law enforcement agencies from various countries united their resources and expertise to support the disruption of the main infrastructure led by the U.K.’s National Crime Agency (NCA). These servers enabled both the initial cyberattacks by affiliates and supported the stealing of victim data and processing to ‘Stealbit’ servers. See ‘Stealbit down!’ article for further details.

Lockbit’s Hackers Exposed

As part of Operation Cronos, law enforcement exfiltrated a bunch of data from LockBit’s servers (sounds familiar). They reveal the message provided to affiliates who logged in to their admin consoles. They also show a picture of the admin login page and most interestingly, a picture of 194 affiliates (minus a few admin or test accounts).

Placard

Detailed View

Contents

Lockbit’s Hackers exposed

A large amount of data has been exfiltrated from Lockbit’s platform before it was all corrupted. With this data, the NCA and partners will be coordinating further enquiries to identify the hackers who pay to be a lockbit affiliate. Some basic details published here for the first time. Our message to L.B. affiliates…

login
affiliate-users

After logging in to the L.B. panel, affiliates are presently seeing this personalised message:

Hello (user name), Law Enforcement has taken control of Lockbit’s platform and obtained all the information held on there. This information relates to the Lockbit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation…..we may be in touch with you very soon.

If you would like to contact us directly, please get in touch.

In the meantime, we would encourage you to visit the Lockbit leaksite.

Have a nice day.

Regards,

The National Crime Agency of the U.K., the FBI, Europol, and the Operation Cronos Law Enforcement Task Force.

Prodaft

Proactive Defense Against Future Threats, or PRODAFT, is a cyber threat intelligence company with locations in Europe. They assisted law enforcement with Operation Cronos and published their own report on their findings. That link is below in the Contents.

Placard

Detailed View

Contents

Ruining the surprise of cybercriminals

Please visit the Prodaft website for more information.

Account Closures

Law enforcement also identified and referred for removal 14,000 accounts responsible for exfiltration or infrastructure.

Placard

Detailed View

Contents

Closure of more than 14,000 rogue accounts

LockBit is also infamous for having experimented with new methods for pressuring their victims into paying ransoms. Triple extortion is one such method, which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks and intimidating phone calls as an additional layer of pressure. In the course of the operation, law enforcement agencies involved in Operation CRONOS managed to identify and refer for removal more than 14 000 accounts (Mega/Tutanota/Protonmail) responsible for exfiltration or infrastructure. This account closure was made possible by the New-Zealand police cyber unit, German State Bureau of Criminal Investigation Schleswig-Holstein and Zurich Cantonal Police of Switzerland. With each account representing a conduit for ill-gotten gains, this coordinated action strikes at the heart of cybercriminal operations, severely hampering their ability to profit from their nefarious activities.

Additional analysis from Europol’s European Cybercrime Centre also showed that some accounts were used to perform attacks using other ransomware variants.

Lockbit’s New Encryptor

Trend Micro also assisted the NCA with Operation Cronos and published an in-depth report on the LockBit operation. The link to that is below.

Placard

Detailed View

Contents

Trend Micro

Lockbit has regularly been seen right at the very top of the ransomware ecosystem when it came to number of data leaks per month, and impact on the internet overall. But beneath that seemingly successful outward persona, the groups have had notable issues and difficulties in recent times – reaching across all aspects of their criminal enterprise. They also have not had a major updated version of their core flagship ransomware suite in over a year – giving their competitors a chance to step up with more innovative solutions.

In this publication by Trend Micro researchers, we discuss the history of the group, and show evidence that it has not all gone as smoothly as it may appear on the surface. Working in collaboration with the NCA, we will also publish for the first time a detailed technical analysis of what we believe was a next potential platform agnostic rewrite of the Lockbit code, which we track as Lockbit-NG-Dev. Over the publication we show that while successful, it is not without its internal issues, and that no criminal group is too big to fail.

Links:

Secureworks

Secureworks released a report on the tactics, techniques and procedures (TTPs) of the LockBit group.

Placard

Detailed View

Contents

Secureworks report on Lockbit learning

Across twenty-plus incident response engagements, Secureworks CTU researchers observed multiple affiliates of LockBit ransomware-as-a-service (RaaS) attempt to extort victims through ransomware deployments, data theft or a combination of the two. Our report aims to shed light on their tactics, techniques and procedures (TTPs) to help you defend against the ransomware threat.

Links:

Lockbit Crypto

The NCA released an infographic on the cryptocurrency analysis for Operation Cronos. The analysis was in conjunction with Chainalysis, which is a company that monitors the blockchain and provides analytics on transactions. They assisted identity the addresses associated with LockBit and the amount of cryptocurrency received as ransoms. Importantly, they note that this analysis on covers 18 months of a four-year crime spree, and counting. The amount received in just that 18 months was in excess on £100 million.

Placard

Detailed View

Contents

An insight as to the financial impact and profits of the group

Lockbit have carried out thousands of confirmed attacks over their 4 year lifespan, meaning their impact can be measured in the multi-billions of dollars globally. Based on NCA access to their systems, we provide some headline assessments of their profits, and are linking crypto transactions to the group and their affiliates.

A key partner in the broader U.K. investigation, the South West Regional Organised Crime Unit, supported by Chainalysis, has led in the tracking and monitoring of thousands of cryptocurrency addresses linked to Lockbit. Lockbit exposed exchange accounts are also being targeted, with hundreds of thousands of USD worth of crypto assets across more than 85 accounts currently restricted by Binance. We continue to progress this work and more details will come to light as we progress the investigation.

Closure

The Operation Cronos site closed on Saturday, February 24 at 4PM PST and is no longer viewable.

Placard

Detailed View

N/A

Contents

N/A

Back to top

Exit mobile version