“Our work does not stop here. LockBit may try to rebuild its criminal enterprise”. The fears of Graeme Biggar, director general of the NCA, the British Crime Agency, were not unfounded.
On February 20, the LockBit cybercriminal group, presented as “most harmful” in the world, was dismantled during an international police operation. Its website and servers were blocked.
A cybergang back in business?
But the respite was short-lived. On specialized sites, the name of this cybergang began to resurface very quickly. For some, it was a matter of maintaining the illusion of continuity of their activities. The cyberattack suffered by the Simone-Veil hospital in Cannes, on April 16, could prove the opposite. For SaxX, hacker “ethics” and cybersecurity researcher, they are “left again”.
In a long press release released on Tuesday April 30, the establishment announced that it had been the subject of a ransom demand from LockBit 3.0, with an ultimatum issued for midnight this Thursday. As a reminder, this hack resulted in transaction cancellations and consultations within the establishment.
Pascal Le Digol, cybersecurity expert and France manager of WatchGuard Technologies, wants to be careful about the origin of this cyberattack.
“Is it them? Or is this a false claim?”, he asks himself. “This needs to be verified. We have already seen false claims. What is certain is that LockBit needs to show that they are still alive.”
“It’s more than a real demand”assures SaxX for his part. “There is no doubt. It is displayed on the site, on a wall of shame, with the other spoils of war. It’s even to be taken a little too seriously.” And to emphasize “pretty crazy resilience” from the hacker group.
This is evidenced by this countdown which should turn green at midnight on the night of Wednesday to Thursday, the time at which a sample of data could be put online.
A method proven over the years
One thing is certain. The method which affected the proper functioning of the Riviera hospital remains the same as since 2019, the first time the group was spotted. The modus operandi is proven: block data And demand a ransom to unlock them. In the event of refusal, the data is disseminated and, ultimately, resold on the dark web.
However, rather than carrying out a gigantic criminal operation himself, LockBit puts its malware (LockBit 3.0, editor’s note) available to its affiliates – independent pirates – who then pay it a percentage of the ransoms obtained. A system that has a name: “ransomware on demand” or “Raas”, for “Ransomware as a Service” in English.
“Behind [Lockbit] there are Russians, but not only”, specifies Pascal Le Digol. “Affiliates can be anywhere in the world, including Francein Belgium”, abounds SaxX.
An ethical barrier that has been shattered
In just a few years of operation, LockBit and its affiliates have caused billions of dollars in damage and extorted tens of millions of dollars in ransoms to their victims, reminds the ethical hacker. Banks, postal services and even hospitals are among their targets. In France, LockBit was the Source of 27% of ransom demands in 2022 and 2023.
“LockBit is a hacking group that at the base refused to attack the hospitals“indicates cyber security expert Pascal Le Digol. “They even reimbursed a hospital at one point which had been attacked by affiliates. We cannot speak of ethics for a cybergang but they had set this limit for themselves.”
For him, the fact that one of their first major victims, upon their return, was a hospital“it’s a strong sign in terms of communication. It means, ‘you tried to bring us down, we’re going to hit everywhere we can from now on’.”
Also a way of showing, as SaxX deciphers, that“They weren’t made fun of” during the operation at the end of February. “They want to regain the trust of their affiliates. Without them, they are nothing.”
