LockBit Smashed, But Its Affiliates Are Still In the Ransomware Racket

In February a multinational task force led by the UK’s National Crime Agency seized the main website of LockBit, the most successful ransomware group in recent memory. The servers operating the group’s base of operations were seized. A man in Poland and another in Ukraine were arrested, and the U.S. announced sanctions on two Russian nationals for their role in LockBit.

SC Media reports that such an operation yields insights into how these organized crime groups operate, but it also exposes the limits of law enforcement’s power to combat cybercrime.

Ransomware and other cybercrime groups are like an ananarcho-syndicalist commune, says SC Media. Their makeup is fluid. They require core proficiencies, ranging from software and hardware development to money laundering and ransom negotiation. The latter requires an additional skill, English language proficiency. 

The actual attacks are conducted by “affiliates” who use the platform and brand name to extort victims and share the proceeds. Thus, shutting down the brand doesn’t necessarily impact core group members. The sanctions the U.S. imposed effectively killed “LockBit” because no company based in this country will pay it a ransom. However, if the core reassembles under a different name there is nothing to prevent it from launching viable operations.

The arrests and DOJ indictments that accompanied the takedown of LockBit are likely just the tip of the iceberg. There are probably more indictments under seal that could be used to grab other participants if they are foolish enough to stray from the unfriendly jurisdictions where they hole up. The two arrests made were in friendly countries. Both men will face additional charges in France.

That’s too bad for them, but several websites LockBit used are still available, including the one that houses victims’ data. That data can still be exposed if the victims don’t pay up. Nor can the sanctioned Russians be deprived of income if they re-emerge under a new name.

SC Media suggests that law enforcement’s ability to conduct operations must be ramped up to such an extent that co-conspirators in gangs like LockBit lose faith in the safety of participation. That might have a real effect.