CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow won’t impact ransomware overall. As in the past, another group will pick up the slack, or LockBit itself will reform and get back into business.

For background, the UK National Crime Agency’s (NCA) Cyber Division, working in cooperation with the US Justice Department, Federal Bureau of Investigation (FBI), and other international law enforcement agencies seized numerous public-facing websites LockBit used to connect to the organization’s infrastructure, along with control of numerous servers used by administrators, disrupting the ability of the threat actors to attack and encrypt networks and extort victims by threatening to publish stolen data, the US Department of Justice reported.

The US Department of Justice estimated that LockBit targeted more than 2,000 victims and received more than $120 million in ransom payments while it was in operation.

The action taken required arduous pre-planning and execution and should not be overlooked. In the short term, this will go some way to stopping or reducing LockBit infections.

Over the longer term, however, I suspect it’ll be business as usual. After all, we have seen other major threat groups taken offline, only to see them pop back up. These include ALPHV/BlackCat and Hive, which were dismantled and then reborn.

Why? Because the recent law enforcement activity does not remediate the root issues that LockBit exploits. Organizations continue to ignore basic cyber hygiene and aren’t prepared not only for an attack, but for incident response and recovery.

I would imagine the concern organizations have to stop threat actors from conducting internal, lateral movement is as trivial today as it was yesterday.

What today’s news should be is a call for businesses around the globe to review their ‘three Ps:’ Passwords, Patching, and Policies! An organization will be safe from ransomware and other cyber threats only by making themselves a tough nut to crack.

Cybersecurity is a constant game of cat and mouse where innocent organizations must continue to focus on securing themselves and making themselves a “tough nut to crack.” I will give it two to three months, after which we’ll see a reincarnation of this flavor of ransomware, which I suspect will be even more sophisticated as the threat actors will have taken lessons from today and be able to cover their tracks better going forward.


LockBit 3.0 and the Ransomware Threat

Over the course of the last year, Trustwave’s elite SpiderLabs team has published multiple threat intelligence reports. While each report is centered on a different vertical market, there has been a common thread, ransomware is a primary threat, and LockBit is/was the most prolific group.

In the recent report on the manufacturing sector, LockBit is credited with claiming ownership of 30% of all attacks, in retail 44% and about 24% in the financial arena. The Clop ransomware group has the edge on LockBit in attacking financial actors responsible for 39% of attacks.

Just as a quick reminder on the threat. Ransomware typically encrypts or locks data and then demands the victim pay a ransom to regain access to the data. Initial access is gained through various means, such as phishing emails, exploiting vulnerabilities, or even using illegally obtained login credentials.

Modern ransomware campaigns prevent recovery by attempting to remove access to backup files and deleting Volume Shadow Copies.

More recently, ransomware groups have added an extortion component to these attacks. They will exfiltrate valuable data prior to deploying the ransomware and then publicly post proof of the attack to scare/shame the victim organization into paying the ransom. If the victim refuses to pay the ransom, the threat actor still has a dataset they can turn around and sell. This activity is commonly referred to as a double extortion tactic.

Threat actors will go to great lengths to get paid. Attackers also use extortion techniques. These are when threat actors will strategically deploy a Distributed Denial of Service (DDOS) attack as a three-layer extortion tactic.

Lastly, another piece of good news related to the takedown of LockBit is the agencies have developed decryption capabilities that may enable hundreds of victims around the world to restore systems encrypted by the LockBit ransomware variant. Beginning today, victims targeted by this malware are encouraged to contact the FBI at to enable law enforcement to determine whether affected systems can be successfully decrypted.

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More