Never assume the end of an attack infrastructure

In February 2024, Operation Cronos, a coalition of international law enforcement agencies led by the UK’s National Crime Agency and the US FBI, took control of the attack infrastructure of the infamous Lockbit ransomware gang, considered the “most malicious cyber group” in the world. There was a sigh of relief throughout the infosec community, with many believing this marked the end of an ongoing nightmare. However, the reality turned out to be different: less than a week later, the ransomware-as-a-service operator was back online with a new leak site, listing five victims and counting down timers for the publication of the stolen information.

This revival is not atypical. These threat groups are increasingly deploying advanced attack infrastructure and extensive backups that allow them to become operational again. I will outline three recent examples that demonstrate the resilience of these groups in the face of law enforcement interventions.

Paolo Passeri

Cyber ​​Intelligence Director, Netskope.

The resilience of Lockbit