The federal bureau of trolling hits LockBit, but the joke's on us

When you can't lock 'em up, lock 'em out

Opinion The best cop shows excel at mind games: who's tricking whom, who really wins, and what price they pay. A twist of humor adds to the drama and keeps us hooked. It's rare enough in real life, far less so in the grim meat grinder of cybersecurity, yet sometimes it happens. It's happening right now.

It all kicked off on February 20. Operation Cronos, led by the UK's National Crime Agency and the US's FBI, was put together by agencies from ten countries with the aim of closing down the world's most successful ransomware gang, LockBit. And so it came to pass, with 30-plus servers taken out, source code, decryption keys, affiliate details, chat logs and other good things obtained, and the users getting the traditional "Game over" message when they tried to connect.

Only it wasn't the usual message. Alongside the "this site has been seized by law enforcement" stuff, the agencies had spent some effort in crafting what can only be described as a slab of swaggering trolling. The original site had a loading animation of the logos of the high-profile victims; this was replaced by one of the flags of the agency consortium that had just administered the kicking. Embedded images of proof of compromise had jokey file names. Best of all, the countdown timer by which LockBit displayed how long victims had left to pay up had been duplicated, only this time counting down to the unmasking of LockBit's head honcho, LockBitSupp.

The cops had deployed a secret weapon – a sense of humor. That they even had one was a surprise, but that they'd use it in a takedown was unprecedented. Then again, LockBit was an unprecedented target.

Since it appeared in 2019, LockBit has become the most successful ransomware gang, hitting state agencies and big businesses around the world while extracting an estimated $100 million. It's done this by adopting a remarkably business-oriented model of operation, signing up associates who do the actual hacking. LockBit provides the tools and manages the negotiations with victims, in exchange for a 20 percent cut of the take.

Lockbit's marketing and online presence wouldn't disgrace many a legit operation, with the minor proviso that it is marketing to criminal gangs and operating on the dark web. It ran bug bounty programs on its own systems and opsec. It promoted the quality of its products. Crucially, what LockBit didn't do was collect the ransom – it left that to the affiliates. Standard practice in the lawful world, but a big builder of trust in the criminal underworld.

So it makes sense that when this largest and most professional criminal gang was taken down, the temptation to stick a cherry on top was irresistible. It makes even more sense in the highly competitive and reputation-driven world of ransomware gangs. It's bad enough to suffer the humiliation of being publicly owned, and far worse to get a troll pie in the face at the same time.

The danger of trolling is that you'll be made to look even more ridiculous in return, and it's here that the plot starts to get seriously engaging. That countdown timer ended not with the big reveal, but a so-what list of things about LockBitSupp – they drive a Mercedes instead of a Lamborghini. They might even live in Russia. Only a handful of arrests were made. Worse still, just five days after Operation Cronos, LockBit and LockBitSupp reappeared online, with headline-grabbing hostage data packages and LockBitSupp dissing the feds something rotten. We expected that, replied the FBI and pals, and besides we've got the keys to help thousands of victims. LockBitSupp had said that the seized keys wouldn't work, so all we can do is wait for the next round to see who wins.

Regardless of what happens next, the whole business illustrates some unpalatable truths. LockBit's disaster recovery procedures seem to be much better than those of many of its victims. It's tiny in comparison, but every organization can be thought of as an agglomerate of much smaller units. Partitioning DR as a highly granular map of resources may be surprisingly efficient, especially in terms of testability and responsiveness. Until IT infrastructure becomes fully hardened against attacks, which will happen at the same time as Elon Musk enters a monastery, assume you will become a victim and build accordingly.

On a darker note, LockBit is basically invulnerable, and will remain so while it's a criminal gang in a mobster nation. When you can't get mobsters for their crime, and you can't cut them off from their technology, you go for their money. With ransomware gangs, all that money, every last cent, comes in via cryptocurrency.

Here, the hackers we need aren't in white hats or behind desks in acronym agencies – they live in the free world's financial regulators. You can't block the blockchain, but you can regulate every point cryptocurrency interfaces with the real stuff, in the exchanges and the other financial institutions that translate dollars and euros into BTC.

You can't trade cocaine futures on commodity exchanges because it is a destructive drug that enables crime. Why tolerate Bitcoin? Until that's fixed, whatever the cops do about ransomware they'll end up looking foolish. The wrong people will win – and that's not funny. ®

More about


Send us news

Other stories you might like