In brief: It’s barely been a week since LockBit saw its website taken over and had its operations disrupted by a joint international operation, but the most prolific ransomware group in the world has already returned. The gang says it has restored its servers and is back in the cybercrime business.
LockBit’s website showed a banner last week informing visitors that it was under the control of law enforcement. The operation involved the National Crime Agency (NCA) of the UK, the FBI, and an international task force named Operation Cronos. LockBit’s operations were disrupted, and suspected group members were arrested in several countries.
LockBit said at the time that the FBI breached the ransomware operation’s servers using a PHP exploit, but its backup servers had not been touched.
“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” LockBit said in a statement on its darkweb site.
LockBit also said that it was resuming the ransomware business and admitted that “personal negligence and irresponsibility” led to law enforcement disrupting its activities, writes BleepingComputer. “Because for 5 years of swimming in money I became very lazy,” the threat actor wrote. “Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.”
The group says that the admin, chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using the CVE-2023-3824 critical vulnerability.
The message claims that the FBI hacked LockBit’s infrastructure because of the ransomware attack on Fulton County that revealed “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.” The gang said it intends to attack the government sector more often going forward to see if law enforcement has the capabilities to fight back.
LockBit’s data leak site has been moved to a new .onion address that shows five countdown timers with company names. They indicate how long each organization has to pay the ransom, after which time the stolen information will be published.
The UK’s NCA told PCMag that, working with international partners, it had successfully infiltrated and taken control of Lockbit’s systems, and was able to compromise their entire criminal operation.
“Their systems have now been destroyed by the NCA, and it is our assessment that LockBit remains completely compromised.”
“We recognized LockBit would likely attempt to regroup and rebuild their systems,” the NCA added. “However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”
Authorities say that they have collected more than 1,000 decryption keys as part of their operation against LockBit, though the group claims this number is being greatly exaggerated and about 40,000 keys exist in total.
Masthead: Freepik