Two of the most infamous ransomware groups worldwide are collapsing, leaving notable victims in their wake and causing chaos in the cybercriminal underworld. In recent years, BlackCat and LockBit have thrived by utilizing a ransomware-as-a-service model, renting out their malware to affiliate hackers to target numerous victims and collect millions in ransom payments. Their future is uncertain after US and international authorities seized their websites, arrested suspected hackers, and even taunted the leader of one of the gangs.
The LockBit gang recently threatened to disclose details about former president Donald Trump, according to security experts. Meanwhile, a BlackCat administrator announced online that the group is disbanding due to a reported payment dispute.
Wendi Whitmore, senior vice president of Palo Alto Networks Inc.’s Unit 42 threat intelligence group, described the situation as a “pressure-cooker,” leading the attackers to behave more erratically and unpredictably. She noted that attackers are feeling the heat from disruptions in their infrastructure, new regulations mandating victim organizations to enhance their security efforts, and improved security detection capabilities.
Despite the troubles faced by these gangs, few are claiming victory. Ransomware hackers, many based in Russia or other countries beyond US law enforcement’s jurisdiction, often transition to different cybercriminal groups or launch new ones.
George Kurtz, CEO of Crowdstrike Holdings Inc., emphasized that the threat is far from disappearing, stating, “They’re just going to re-constitute.” Nevertheless, the weakening of two significant ransomware groups signifies a milestone in the US and its allies’ efforts to disrupt cybercriminal activities.
BlackCat has been responsible for attacks on various entities, including a German fuel depot, a UK hospital group, MGM Resorts International, and most recently, Change Healthcare, a subsidiary of UnitedHealth Group Inc. In December, US authorities seized BlackCat’s websites and provided a decryption tool to help victims recover their computer systems.
Jon DiMaggio, chief security strategist at Analyst1, pointed out that such seizures can harm ransomware groups that rent out their malware, as affiliates may fear law enforcement infiltration. Following the takedown, a BlackCat administrator encouraged affiliates to target hospitals.
The attack on Change Healthcare, discovered on February 21, has caused significant disruptions in the US healthcare system. UnitedHealth announced that some network sections will be restored in mid-March, while electronic prescribing services are already back online. A reported $22 million deposit in a cryptocurrency wallet linked to BlackCat raised questions about ransom payments.
On the other hand, LockBit, active since early 2020, has targeted over 2,000 victims, including notable organizations like Industrial & Commercial Bank of China Ltd, ION Trading UK, UK Royal Mail, and Boeing Co. Despite law enforcement actions, the group has attempted to resume its criminal activities.
Fulton County, Georgia, endured a hack by LockBit in January, leading to phone outages and utility payment issues. Fulton County officials stated they are confronting an unexpected IT outage affecting multiple systems, emphasizing that the case against Trump remained unaffected by the breach.
LockBit threatened to release sensitive information online, including details about Trump, but the deadline passed without disclosure. County officials denied paying a ransom and continue to collaborate with the FBI while conducting their investigation. Allan Liska, a threat intelligence analyst at Recorded Future Inc., suggested that the failed bluff indicates the gang’s diminishing power.
As with other disrupted ransomware groups, LockBit must reassure affiliates of their trustworthiness to fully resume operations. Jackie Burns Koven, head of cyber threat intelligence at Chainalysis Inc., expressed skepticism about the group’s readiness to relinquish their operations easily.
“I mean, they’ve been the longest running ransomware strain we’ve been tracking,” added Koven. “I don’t know that they’ll want to give it up so easily.” – Bloomberg
