What the LockBit ransomware gang’s return means for healthcare

March 11, 2024 - Since its emergence four years ago, the LockBit ransomware gang has been ruthlessly targeting organizations across critical infrastructure at alarming rates. The group’s constant tactic modifications and vast network of affiliates enabled it to deploy ransomware against more than 2,000 victims and receive more than $120 million in ransom payments, according to the FBI.

But in February 2024, US and UK authorities announced the disruption of the LockBit ransomware gang following a months-long effort under "Operation Cronos," a dedicated task force aimed at dismantling the group. The international task force successfully took control of LockBit’s leak site and admin portal, as well as 28 servers, and was able to offer decryption keys to victims.

The action was hugely successful at disrupting the group’s operations and helping its victims. However, after just a few days of downtime, LockBit restored its servers and was running once again.

HealthITSecurity spoke with Nic Finn, senior threat intelligence consultant at GuidePoint Security, to discuss the significance of this disruption and what the group’s reemergence means for healthcare.

Government Takedown Successfully Weakens LockBit

“LockBit has been the biggest group for a long time. They likely have the most affiliates, and they are clearly posting the most victims. They have quite an established set of rules for how their affiliates operate,” Finn said.

“That has led us to this instance where I think it just made sense that law enforcement needed to act against them in some way to try and curb all this victimization across multiple industries.”

In 2022, LockBit was the most active global ransomware group and RaaS provider by number of victims claimed on their data leak site, the FBI found. The group remained one of the most prolific ransomware groups of 2023, the GuidePoint Research and Intelligence Team (GRIT) revealed in its annual report. LockBit’s aggressive attacks against healthcare and other sectors prompted multiple alerts and analyst notes from federal agencies in recent years, including HHS.

Considering LockBit’s reputation in the global cyber threat landscape, UK and US cyber authorities teamed up with international partners from nine other countries to covertly investigate the group.

As a result of these efforts, authorities were able to seize multiple public-facing websites used by LockBit and gain control of servers used by LockBit administrators. Authorities were also able to dismantle LockBit’s bespoke data exfiltration tool, known as Stealbit.

The US also unsealed indictments against two individuals for conspiring to commit LockBit attacks. Additionally, Europol arrested two LockBit actors in Poland and Ukraine and froze more than 200 cryptocurrency accounts linked to the group.  

Notably, the task force was able to obtain decryption keys for more than 1,000 victims, helping them to restore encrypted data.

“From everything we have seen so far, it seems like the takedown was very effective,” Finn noted.

Even with the subsequent reemergence, the task force made significant headway in disrupting the group’s infrastructure and chipping away at its reputation.

LockBit Reemerges Within Days

Following the takedown, international authorities alluded to the potential return of LockBit and its affiliates, knowing how easy it is for ransomware groups to rebrand following unwanted law enforcement attention.

“Our work does not stop here,” Graeme Biggar, National Crime Agency (NCA) director general, said in the NCA’s announcement on the day of the takedown. “LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

Ransomware groups are difficult to pin down because when they get caught, they might reemerge under a different name using revised tactics.

“The rebranding process is extremely simple for these guys,” Finn emphasized. “If we say you can't interact with LockBit anymore, then LockBit could just change their name to BitLock and continue operations.”

In this case, Finn suggested that LockBit was able to recuperate so fast because it had reliable data backups and was potentially prepared for an attempted takedown. Finn’s team observed LockBit posting victims on its new leak site shortly after reemerging, but some of the leaks listed may have been previous victims.

“The assumption we'd have to make is that those are not new victims, because the standard timeframe here is they victimize an organization, they go to that organization and demand payment, and then they threaten to leak their information on the leak site,” Finn noted.

“The fact that there are already leaks on the site implies that those might have been previous victims that they just hadn't posted yet, and now they're coming back and posting those victims just for visibility.”

While it is too soon to tell how LockBit actors will adjust their tactics in light of the disruption, other ransomware groups have been observed returning to cybercrime forcefully following a law enforcement takedown.

For example, the FBI announced its successful disruption of BlackCat in December 2023, only for the group to return with a large-scale cyberattack against Change Healthcare in February. Following the takedown, BlackCat lifted a ban on attacking hospitals and even encouraged its affiliates to do so.

“It's a bit of a double-edged sword because you want to impact their operations. You want to get these affiliates worried about working with LockBit,” Finn said. “But on the other hand, by taking them down, if they do reemerge, then you end up in a situation where a lot of organizations are now at higher risk from LockBit.”

Though the disruption of LockBit was a significant win, those defending against ransomware should remain vigilant as LockBit adjusts its tactics and targets to remain resilient.

What This Means For Healthcare

“I don't think we have enough data yet to glean whether there are any real shifts in what the targeting is,” Finn noted.

However, he predicted that LockBit, like BlackCat, would target healthcare more aggressively, potentially resulting in damaging effects on healthcare servers and services.  

The healthcare sector is already defending against a multitude of cyber threats. Even if LockBit decides to double down on its efforts to disrupt the sector, Finn suggested that the core defense recommendations remain unchanged.

“The only difference is the healthcare industry especially has to have a better plan in place to get back to operations quickly, because this impact is going to be a lot more thorough than just data leakage now,” he added.

Maintaining offsite backups will be crucial to resilience, Finn said. Additionally, Finn recommended leveraging government resources like the Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware site, which offers fact sheets and guidance for ransomware prevention and response.

As ransomware groups shift away from standard encryption and toward more damaging tactics such as double extortion, organizations will have to adjust their defense tactics to match.  

HHS recently released an overarching healthcare cybersecurity strategy for the sector, consisting of cybersecurity performance goals (CPGs) that organizations can use to level up their security maturity. With these emerging and persisting threats in mind, the sector can leverage these key resources to better defend against LockBit and other prolific ransomware groups.