The hacks on ransomware groups LockBit and Everest seem like a positive development, but according to Orange Cyberdefense, they pose new risks. The weakening of major players creates a fragmented threat landscape in which smaller, chaotic groups gain the upper hand.
Cybercriminals are getting a taste of their own medicine. LockBit and Everest, two notorious and feared ransomware groups, have fallen victim to cyberattacks. Their dark web sites displayed the mocking message “Don’t do crime. CRIME IS BAD xoxo from Prague.” The damage was even greater for LockBit: their entire internal database was leaked.
The attackers gained access using a known WordPress vulnerability. LockBit even stored passwords unencrypted, which shows how poor these criminal organizations’ basic security was.
The leaked database contains approximately 60,000 Bitcoin addresses, over 4,400 chat messages between LockBit and victims, and login details of 75 members. This information gives security services unique insights into how these groups operate.
Proliferation of smaller players
However, Strategic Advisor Jort Kollerie of Orange Cyberdefense warns of the consequences. “When big players like LockBit and Everest weaken, a new dynamic emerges within the cybercrime landscape,” he says. “The well-known term for this is: one dies, one rises.”
According to Kollerie, there will be a proliferation of smaller groups operating chaotically. They will use leaked tools but lack the structure of their predecessors, making the threat landscape unpredictable and more difficult to combat.
New challenges for security
This poses new problems for security teams. They can rely less on known attack patterns. Instead of a few large, predictable players, dozens of smaller groups operate with different methods.
However, the leaked data does offer opportunities. Bitcoin addresses can be linked to specific attacks, and communication patterns help us understand how they work. “Arrests are not to be expected immediately, but they cannot be ruled out either,” says Kollerie.
Threat intelligence teams can convert the data into detection rules. In this way, the leaks help companies strengthen their defenses against known attack patterns. It gives security professionals concrete opportunities to stay one step ahead of cybercriminals.