Why LockBit Hacker Takedown Could Accelerate Shift To Low-Profile Attacks

The U.S. government announced Tuesday the disruption of the threat actor group and indictment against two Russian nationals.

The U.S. government said Tuesday it has disrupted certain operations of the LockBit threat actor group and indicted two Russian nationals associated with the prolific cybercriminal gang.

The disclosure is a huge deal in the battle against cybercrime, given that LockBit “has been at the core of a lot of the ransomware attacks” we’ve seen in recent years, SonicWall CEO Bob VanKirk said in an interview with CRN Tuesday.

[Related: US Agencies Warn About Network Devices 'Frequently Exploited' By China-Linked Hacking Group]

Among the notable LockBit attacks was last year’s incident involving IT solution provider giant CDW. The company said in October that it was investigating after LockBit claimed to leak stolen CDW data, following an $80 million extortion payment demand that ranked as the third-largest ever at the time.

In all, the Russian-speaking group has been paid more than $120 million in ransoms while targeting more than 2,000 victims, according to the U.S. government disclosure Tuesday.

The disruption operation announced by the FBI and other law enforcement agencies included the seizure of “numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and seizing control of servers used by LockBit administrators,” according to a news release.

The U.S. Justice Department also unsealed indictments that charged two Russian nationals, identified as Artur Sungatov and Ivan Kondratyev, with deploying LockBit ransomware “against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries,” according to the release. The pair are also charged with targeting “victims around the world in the semiconductor and other industries,” the release said.

Meanwhile, the U.K. National Crime Agency’s Cyber Division and the FBI have developed a decryptor for LockBit that will be provided to victims. These decryption capabilities “may enable hundreds of victims around the world to restore systems encrypted using the LockBit ransomware variant,” the release said.

Michael Crean, who heads SonicWall’s managed security services unit, told CRN Tuesday that the disruption could be consequential in several ways.

For one thing, “it's another reminder that we're going after these really large organizations and taking them out, and we're becoming more aggressive with it,” Crean said.

One of the ultimate results, however, may be that the pivot by attackers to lower-profile activities gets accelerated, he said.

“If I'm a bad guy, what am I going to do now? Well, I'm going to try to fly under the radar but still get what I want,” Crean said. “I’ll just do it in a way that doesn't draw any attention to me.”

An even greater expansion in attacks against SMBs — which naturally don’t get as much notice as attacks targeting major enterprises and government agencies — could be among the results of this pivot. Such attacks have recently been underscored by a series of nation-state attack campaigns exploiting small office/home office (SOHO) routers, revealed by the FBI in recent weeks.

Last week, the FBI disclosed its disruption of a widespread campaign by Russia-aligned hackers that had compromised “hundreds” of SOHO routers. And in late January, the agency revealed the disruption of a China-linked campaign exploiting SOHO routers, many of them old and unsupported.

VanKirk said it’s clear that at the moment, “SMBs are right in the crosshairs” for hacker groups, across both nation-state attackers and cybercriminals.

“The threat actors don't care anymore. They're not just targeting enterprises,” he said. “They've leaned into state and local government, they've leaned into the SMB space.”

This makes the role of the MSP more crucial than ever from a security perspective, VanKirk told CRN.

“Based upon the sheer number of attacks and the complexity, MSPs really provide a key security layer that end customers require, especially in the SMB space,” he said.