What We Do
How We Do
Get Started

LockBit Ransomware Operations Might Be Down – Now What?

BY Eldon Sprickerhoff

February 27, 2024 | 4 MINS READ

Want to learn more on how to achieve Cyber Resilience?


In late February 2024, the notorious ransomware group known as LockBit was dealt a severe blow as international law enforcement partners including the Federal Bureau of Investigation (FBI) and the Cyber Division of the U.K. National Crime Agency (NCA) successfully seized many public-facing webservers and servers used for LockBit administration, hobbling the group’s ability to attack, encrypt, and extort victims.

According to cybersecurity expert Kevin Beaumont, a LockBit affiliate claimed that they were behind the ransomware attack that shut down some of the operations of EquiLend, a key financial technology company that processes trillions of dollars of securities lending transactions each month. 

What was interesting to me is that despite confirming to Kevin Beaumont that they were behind the EquiLend ransomware attack, LockBit initially did not post EquiLend on their leak site. This may mean that EquiLend negotiated, and paid, the ransom amount. Update: As of February 25, LockBit have posted EquiLend on their new leak site:

In case you aren’t familiar with the LockBit ransomware group, it emerged in 2019 and has since gained notoriety for its highly targeted and damaging cyberattacks. They often use double extortion as a tactic; in addition to encrypting the victim’s files, they threaten to leak sensitive data if the ransom is not paid (thus increasing the pressure on the victims to comply).

The LockBit group operates as a Ransomware-as-a-Service, where other cybercriminals they recruit can use their underlying tools and infrastructure to launch ransomware attacks and share the ransom payments. Since inception, it is believed that they had targeted 2,000+ victims and received more than $120 million USD in ransom payments.

In September 2023, eSentire’s Threat Response Unit (TRU) released a detailed report on the LockBit ransomware group and how they were targeting their victims. Between February 2022 and June 2023, TRU disrupted three incidents targeting a storage materials manufacturer, a manufacturer of home décor, and a Managed Service Provider (MSP).

According to the report, once the LockBit group gained access into their targets’ environment, they used remote monitoring and management (RMM) tools, their remote access software, or brought in their own RMM tools to deploy ransomware. In the case of the MSP, they attempted to deploy malware to the MSP’s downstream customers.

Moreover, our 2024 SMB Ransomware Readiness report also found that LockBit was the most significant threat for small-medium businesses (SMBs) that fall within the $1 million to $25 million annual revenue range.

Authorities stated that they have obtained keys from the seized LockBit infrastructure and will be able to assist victims unlock their encrypted systems. As well, the Justice Department indicted two Russian nationals with deploying LockBit ransomware to many companies throughout the United States. This brings the number of indicted individuals for their participation in the LockBit ransomware group to five.

Here’s my take on the news – this is truly good news, but we should take care to note that the fight is not over. We should expect that the ‘bad guys’ have backups (just as we do) and that they have an incentive to be resilient in their operations.

This co-operative operation has dealt a serious blow to the parent organization and will hopefully increase their cost of doing business. However, they’re certainly not out of business. In fact, LockBit has already spun up a new Dark Web leak site and for all intents and purposes, they’ve resumed operations.

I also think we will continue to see other ransomware groups use RMM tools to gain initial access into their target organizations. With that in mind, here are some recommendations for organizations to protect themselves:

Protecting your organization against LockBit and other similar ransomware-as-a-service threats will always come down to how vigilant you are about staying ahead of the threat landscape and proactively preventing business disruption.

If you’ve been targeted by LockBit, please contact the FBI here for next steps you can take.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Advisor

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.

Read the Latest from eSentire