The fall and rise of LockBit: Can the healthcare sector now sleep safer at night?

By Richard Staynings, Chief Security Strategist for Cylera



The infamous LockBit Ransomware as a Service (RaaS) has established itself as one of the most prolific and destructive Russian ransomware groups, providing significant challenges to organisations globally.

Since its emergence in 2019, the criminal gang has gained notoriety for its ruthless attacks, claiming over 2,000 victims worldwide and extorting over $120 million in ransom payments.

As part of its initial seeding of compromised networks with ransomware, LockBit exfiltrates confidential information, threatening to then publish it on its websites if victims fail to make payments.

The gang is also known to publicly taunt its victims with a countdown clock of when the information will be publicised.

And no organisation appears to be out of bounds for this dangerous criminal cyber gang including healthcare.

In fact, healthcare is one of the top sectors targeted by the RaaS gang according to a recent report. In 2022 the gang infamously crippled NHS 111 services and out-of-hours GP surgeries.

The critical healthcare service’s digital systems were forced offline with hospital staff resorting to pen and paper.

Then, more recently, LockBit claimed a cyberattack on US healthcare organisation, Capital Health, wiping its IT systems offline and disrupting services for several months.

Reports from the ransomware group claim to have stolen seven terabytes of sensitive medical data blackmailing Capital Health with a large payment in return for keeping the critical data confidential.

Six months on and the healthcare institute is still suffering from the effects, with 74 per cent of patient care affected and systems still significantly disrupted.

Government agencies take down LockBit 

The good news is that on February 19th this year the UK’s National Crime Agency (NCA), and the US FBI led an international law enforcement action resulting in a “take-down” of the RaaS group when it seized control of LockBit’s primary administration environment.

This environment enabled affiliates to build and carry out attacks and host a public facing site to publish stolen data.

Dubbed ‘Operation Cronos’ the months-long operation gave the task force access to decryption advice and keys for more than 1,000 victims, many likely linked to the healthcare sector, which helped the task force restore encrypted data.

Richard Staynings

Authorities were also able to dismantle LockBit’s bespoke data exfiltration tool, known as Stealbit, leading to the identification, indictment, and arrest of many of the gang’s generals.

What was significant though was that data was found to still be stored on a number of victims that had reportedly paid their ransom.

This shows that data isn’t always destroyed on receipt of payment as the criminal gang purports to do.

LockBit re-emerges within days

Despite the dismantling of LockBit and its RaaS, within just a few days the threat actors re-emerged via a new dark website, naming more of its victims.

In a statement posted on their new dark web domain, LockBit stated that while their infrastructure and new affiliate domains have been established, rebuilding their affiliate network would take time.

However, this does not indicate that Operation Cronos was not successful. In fact, the law enforcement agencies likely anticipated this re-emergence.

The takedown of LockBit not only took down the leak site, it also demonstrated that law enforcement was able to acquire decryptors, freeze crypto assets and identify associates.

This highlights that threat actors have their own vulnerabilities and a lot to lose.

So, what does this disruption to LockBit mean to the future security of healthcare?

LockBit’s future threat to healthcare

The return of LockBit’s RaaS raises serious concerns, particularly for the healthcare sector, due to its potential to exacerbate existing vulnerabilities and disrupt critical services.

With its re-emergence, LockBit offers a simple platform for its own and other cybercriminals to execute sophisticated ransomware attacks with minimal technical expertise, significantly lowering the barrier to entry for aspiring threat actors.

The consequences are substantial in healthcare, where the stakes are high and critical patient care is on the line.

The resurrection of LockBit RaaS threatens to unleash a fresh wave of ransomware attacks against healthcare institutions, leaking sensitive patient information and disrupting critical medical services.

Furthermore, the financial and reputational consequences of such assaults can be disastrous, with healthcare providers facing high ransom demands, regulatory penalties, and a loss of patient confidence.

What more needs to be done?  

The emergence of cybercriminal activities such as LockBit highlights the critical necessity for ongoing and joint efforts to successfully tackle ransomware threats.

While Operation Cronos dealt temporary setbacks to LockBit, the reality is cybercriminals are agile and adaptive, constantly evolving their tactics to exploit vulnerabilities.

It was great to see the ‘home team’ win a game finally, but there’s a long way to the finals.

The trouble is that with cybercrime it takes many months or years to properly attribute actions, victims, criminal actors, and all those involved in a cyberattack.

This includes extortion as this cyber group specialises in, as well as another forms of cybercrime involving intellectual property theft, espionage, or preparation for a takeover of a critical infrastructure system one day.

Law enforcement must do things properly for prosecutions to stick and identify all those involved in a criminal act.

Operation Cronos was one of the better days, that’s for sure.

To reduce the risk of falling victim to criminal gangs like LockBit, healthcare organisations must have a robust IT and IoT cybersecurity maturity model in place to provide a more assured and comprehensive security posture – moving from reactive to proactive defence.

A strong cybersecurity maturity model provides healthcare with complete visibility of the network.

It enables a real-time inventory of all healthcare IoT devices connected to the infrastructure, threat response prioritisation, and risk mitigation – all critical to fortifying defences and strengthening an organisation’s security posture against diverse and ever evolving threats facing healthcare environments today.

Click to comment

Trending stories

Exit mobile version