Never assume the end of an attack infrastructure

Concept art representing cybersecurity principles
Nytt DDoS-rekord (Image credit: Shutterstock / ZinetroN)

In February 2024, Operation Cronos, a coalition of international law enforcement agencies led by the UK’s National Crime Agency and the U.S. FBI, seized control of the attack infrastructure of the infamous Lockbit ransomware gang, deemed the world’s ‘most harmful cyber group.’ A sigh of relief echoed across the infosec community, with many believing this marked the end of an ongoing nightmare. However, reality proved different: less than a week later, the ransomware-as-a-service operator was back online with a new leak site, listing five victims and countdown timers for the publications of the stolen information.

This resurgence is not atypical. These threat groups are increasingly deploying an advanced attack infrastructure and comprehensive backups that allow them to return to operations. I will set out three recent examples that demonstrate the resilience of these groups to law enforcement interventions.

Paolo Passeri

Cyber Intelligence Principal, Netskope.

Lockbit’s resilience

Ironically, in order to take over the LockBit website, law enforcement agencies exploited CVE-2023-3824, a vulnerability affecting PHP – which mirrored one of the main attack vectors used by the LockBit group, specifically the exploitation of vulnerabilities. According to the threat actor, ‘personal negligence and irresponsibility’ led to a delay in applying the patch and made the takeover possible. And yet, LockBit’s immediate comeback was facilitated by the availability of backups– an essential best practice for any organization. Following the takedown, LockBit confirmed the breach, but also claimed they only lost servers running PHP, while their backup systems without PHP remained intact.

Before the brief takedown, LockBit was one of the major threats for the financial sector. Unsurprisingly, attacks carried out via the LockBit ransomware and its variants continued throughout 2024, even after the takeover. This persistence was partly due to another complication quite common in the threat landscape: the source code of the malware builder had already been leaked online by an angry developer, spawning multiple variants that continue to plague businesses worldwide, fueled by the continuous exploitation of vulnerabilities.

The existence of backups indicates that the attackers built a resilient infrastructure with a contingency plan, anticipating the possibility of being taken over. At its core, cybercrime is a business, so threat actors adopt best practices that every enterprise should follow, building robust infrastructures to ensure protection against outages or disruptive events, such as a law enforcement takedown. This serves as an important wake-up call, reminding us that even if law enforcement agencies dismantle a criminal infrastructure, the operation may not be gone for good.

A BlackCat exit

A second demonstration of the resilience of malicious infrastructure is an analogous event involving a different ransomware operation. In December 2023, law enforcement agencies led by the U.S. FBI - and involving agencies from the UK, Denmark, Germany, Spain, and Australia - seized the BlackCat/ALPHV infrastructure. However, two months later, the ransomware group unexpectedly resurfaced, claiming responsibility for several high-profile attacks in the financial and healthcare sectors.

An interesting twist in this comeback involved the attack against Change Healthcare, which ended with the victim organization paying a $22 million ransom in Bitcoins. Two days after the payment was made, accusations surfaced that the ransomware operation had cheated other affiliates out of their portion of the bounty, and four days after the payment (two days after the accusations), the FBI and other law enforcement agencies appeared to have taken over the leak site again. 

However, law enforcement agencies denied any involvement in this second shutdown and this aspect, coupled with the fact that the page that appeared on the leak site after the second apparent shutdown looked like a copy of the original one from the December 2023 takeover, led experts to speculate that the threat actors may have executed an exit strategy: happy to leave the stage with $22 million in their pockets, severing ties with their affiliates, and potentially selling the ransomware-as-a-service source code for $5 million – a common practice recently adopted by the Knight 3.0 ransomware. This evidence suggests that the emergence of variants will extend the life cycle of this malware well beyond the shutdown of the original operation.

The way this story appears to have ended suggests that not only are organized criminal operations resilient and often able to survive takedown efforts by law enforcement agencies, but also that threat actors may decide to leave the scene voluntarily. They might do so either because they believe they have achieved their lucrative objectives or because they deem the market conditions no longer favorable. In the case of BlackCat/ALPHV, it is believed that the fluctuation in the price of Bitcoin, or even a potential shift in focus to other targets, such as Ukraine (given that the threat actors are of Russian origin) may have influenced their decision to shut down the operation.

Ducking law enforcement

The comebacks of malicious operations after shutdown attempts by law enforcement are not limited to ransomware operations. A third remarkable example is the short-lived takedown of the infamous Qakbot botnet through Operation Duck Hunt, carried out by the FBI and its partners in 2023. Qakbot is one of the most flexible weapons for threat actors due to its modular nature, allowing it to distribute multiple malicious payloads, including various ransomware strains, resulting in hundreds of millions of dollars in damages. Predictably, this apparent victory was short-lived. Just two months after the law enforcement operation, the threat actors quickly refitted their malicious infrastructure to distribute additional payloads.

More Qakbot campaigns were detected, featuring new variants with malware improvements. These campaigns included distributing Cyclops and Remcos remote access tools in October 2023 through malicious PDF documents to the hospitality sector under the guise of fake IRS communications, as well as a fake Windows installer in January 2024. According to Netskope Threat Labs, Qakbot was one of the main threats targeting the retail sector between March 2023 and February 2024, showcasing the resilience and flexibility of an attack infrastructure.

Remaining vigilant

Cybercrime is now big business, with attackers possessing vast resources to build increasingly pervasive and resilient threats. To combat these sophisticated attacks, organizations must adopt a comprehensive security strategy that is continuous, pervasive, and resilient. This involves implementing multi-layered defenses, continuous monitoring, real-time threat detection and regular security assessments. 

Additionally, it would be wise to follow the example and learnings of these resilient threat actors, fostering a culture of cybersecurity awareness, maintaining up-to-date systems, and having robust incident response and disaster recovery plans. Eliminating all cybersecurity blind spots is crucial, as even minor vulnerabilities can lead to significant breaches. Organizations must be prepared to defend against all types of threats and attack groups.

We feature the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Paolo Passeri, Cyber Intelligence Principal, Netskope.