Almost Got Em!

When we talk about the possibility of a cybersecurity incident, do you ever wonder who are the criminal ransomware organizations responsible? We dug a bit deeper into one particular incident whom you may all be familiar with. The compromise within London Drugs.

On February 20, 2024, the UK’s National Crime Agency (NCA) announced that as part of an international effort it had infiltrated and compromised LockBit, one of the largest criminal ransomware organizations in the world. LockBit had become “fundamentally redundant.”, according to Graeme Biggar, the director of the NCA, boasting that “we have hacked the hackers.” Phew, right?

Despite all the rhetoric, on April 28, just over two months later, London Drugs, a major Western Canadian retailer with around 80 big box locations from BC to Manitoba, was forced to close for over a week due to an “operational issue” that was later revealed to be a ransomware attack carried out by none other than LockBit.

This begs the question, if LockBit was so thoroughly compromised, how could they pull off another major breach in such a short time, even while under such major scrutiny by the authorities – authorities who were even claiming to have recovered Personal Identifying Information during their own hack of LockBit’s environment?

LockBit first appeared in 2019, and was originally known by the name “.abcd” before changing to the current name soon after. In less than five years during which LockBit has been around it has racked up well over 3,000 publicly known victims, and it likely has many more we’ve never heard of.

Among its known victims stand major organizations like airplane manufacturer Boeing, the UK’s NHS and Royal Mail, and the Subway chain of fast food restaurants.

The secret to LockBit’s extraordinary reach is two fold. First, by all appearances it runs itself like any legitimate business, even running a bug bounty program for its software, and second, by adopting the as-a-Service model common in IT, and licensing the use of its ransomware to affiliates who then target their victims, rather than carrying out attacks on its own.

In exchange for using its ransomware, LockBit takes an estimated 20% of the ransom, leaving the affiliate who carried out the attack with the remaining 80%. (sweet deal if you can get it!)

The tradeoff for LockBit is that it does not have the same control over who is targeted by its ransomware that other criminal groups have, leading to a much larger variety in the number and types of targets that are chosen, and a higher chance that more sensitive or objectionable locations may fall victim.

In fact on December 31st, 2022, Lockbit issued an apology for the ransomware attack on Toronto’s Hospital for Sick Children, claiming an affiliate violated its rules.  This, however, hasn’t stopped LockBit or its affiliates from targeting other hospitals or health systems, and deaths have been attributed to ransomware attacks in the past. In spite of the unprecedented apology given by LockBit for the attack on a children’s hospital, it should be clear that no one is safe.

All of this leads to the simple question, if major fortune 500 companies are falling victim to these attacks, then what hope do small and medium sized businesses have of avoiding ransomware?  The answer to this question is surprisingly, quite a lot.

Very few successful attacks are carried out with complex hacks these days. Such techniques are time consuming, expensive, and they can be unreliable, as systems get patched and tricks that once worked no longer will.

A robust security infrastructure including Next-gen firewalls, SIEM, MFA, and EDR – among other elements, can help make an operating environment unattractive to threat actors.

However, even with this infrastructure in place, the weakest point for every organization remains the same – its users.  Most attacks come through vectors created directly by users. Whether it be weak passwords, reused passwords, users not locking their devices, allowing strangers access to sensitive areas, or clicking on strange links in emails.

The best way to combat these weaknesses is through Security Awareness Training. This training helps users to understand how they can be manipulated by bad actors, and how they can provide better security themselves.

Only a few months on, it already seems the NCA’s announcement of having taken down LockBit was premature.

At least one major attack has been attributed to it, and although on May 7, 2024 the US Department of Defense announced charges against Dmitry Khoroshev, the alleged leader of the group, he continues to live with impunity in Russia.

Criminal ransomware groups have proven extremely difficult to take down, and even if they can be stopped another one will be there to take over as soon as they are gone.

Ransomware is not going away any time soon, and only looks to get more sophisticated. This is why it is more important than ever that everyone make sure their environment is well defended from serious threat actors.


Picture of Author: Adam Macpherson

Author: Adam Macpherson

CS Controls Analyst

Cyber Security Maturity graphic - bare minimum