The influence of Operation Cronos continues to hinder the LockBit ransomware group’s operations and the gang begun posting faux sufferer claims to its leak website.
Nearly 80% of sufferer entries that seem on the group’s new information leak website post-Operation Cronos are illegitimate claims, in line with a brand new report by Development Micro, a Japanese cybersecurity agency that took half within the regulation enforcement operation that took down Lockbit’s infrastructure on February 19, 2024.
Over two-thirds of the listed victims (68%) have been reuploads from assaults that occurred earlier than Operation Cronos and 10% have been victims of different ransomware teams – specifically ALPHV/BlackCat and RansomHub.
Development Micro additionally discovered that 7% of the post-Operation Cronos uploads had rapidly been eliminated.
“14 victims have been nonetheless not revealed and we didn’t discover any public information apart from the posts on the LockBit website that declare to confirm the precise assault dates,” added the report.
Based mostly on this evaluation, Development Micro assessed that LockBit is attempting to control its new leak website by populating it with faux sufferer information and giving it an look of normalcy, as if the group was totally again and operating.
Different suspicious behaviors, resembling eradicating sufferer names earlier than the tip of the countdown timer and importing victims in batches, additionally help this speculation.
Learn extra: What You Have to Find out about Operation Cronos
Affect of Operation Cronos on LockBit’s Associates
As a part of Operation Cronos, Development Micro revealed that, earlier than the takedown, the LockBit admins have been engaged on a brand new, platform-agnostic ransomware construct that researchers known as LockBit-NG-Dev (NG stands for ‘subsequent technology’).
Learn extra: Who Are the LockBit Admins?
Nevertheless, the takedown has probably put any such improvement initiatives on maintain, as LockBit needed to give attention to restoring its infrastructure.
Whereas LockBit’s kingpin (aka LockbitSupp) promised to return rapidly, the group associates’ means to launch new assaults appears severely hampered.
The Development Micro report reveals a transparent drop within the variety of precise infections related to LockBit ransomware following Operation Cronos, with just one small assault cluster noticed within the three weeks following the disruption.
On cybercrime boards, customers claiming to be LockBit associates complained about disruptions to the group’s infrastructure even earlier than the operation was publicly introduced.
“An actor utilizing the deal with ‘Desconocido’ complained that three ongoing campaigns have been affected by the disruption,” the Development Micro report states.
