In seizing and dismantling LockBit’s infrastructure, enforcement authorities are now making a mockery of the ransomware criminals by promising a long, drawn-out disclosure of the gang’s secrets, the Register reports.
After the infosec world was invigorated by the announcement of LockBit’s site being seized yesterday, the authorities involved in the takedown operation – dubbed Operation Cronos – have now completely taken over the extortionists’ dark-web leak site and turned it into an exposé hub.
The UK’s National Crime Agency (NCA) is the authority that has taken control of LockBit’s site and administration environment, and is the body behind the slow dissemination of information throughout this week.
In typical LockBit style, its countdown timers have been hijacked to reveal the times at which various pieces of information will be revealed, including what appears to be the identity of LockBit’s leader. It’s all going to culminate on Friday, February 23, with what appears to be the grand reveal of LockBitSupp’s identity.
Also being revealed are further insights into LockBit’s frozen and analyzed cryptocurrency wallets, including details about the amount of profit it generated over its time in business. At 2300 UTC on Saturday, February 24, the NCA’s final action will be to shut down the site for good. So get those laughs in and marvel at the brilliantly defaced site while you still can.
If LockBit is able to recover, it will be the second failed major ransomware takedown in recent months after the US Federal Bureau of Investigation’s attempt to shutter ALPHV/BlackCat led to the criminals taking back control of their infrastructure within a few days.
However, given the degree to which we can already see the NCA taking over LockBit’s site, perhaps a more likely scenario is one where LockBit is unaware of the extent to which it’s been compromised and won’t ever recover.
“One thing we do know is the collective of law enforcement agencies will certainly have carefully weighed short-term and long-term impact opportunity to ensure maximum disruption and impose maximum cost on LockBit and we support any and all action that dents or impedes their continued operation,” said Tim West, director of threat intelligence and outreach at WithSecure, speaking to the Register. “For this reason, we celebrate what would no doubt have been a complex and difficult operation and offer congratulations to those involved.”