Cybercrime cops still celebrating the takedown of LockBit should put the champagne back on ice because the Russia-linked hackers have re-emerged — and declared support for Donald Trump.
Often described as the “world’s most active ransomware group,” LockBit was disrupted last Tuesday by an international coalition of law enforcement agencies.
According to Europol, the task force infiltrated the gang’s “primary platform and critical infrastructure.” Members of LockBit were also arrested and charged. Britain’s National Crime Agency said the sting had compromised “their entire criminal enterprise.”
But less than a week later, LockBit has reemerged on the Dark Web. On a new site, the gang shared an apparent list of corporate victims, an explanation for the takedown — and that dubious endorsement of Trump.
In a lengthy message posted on Monday, the group’s presumptive leader blamed their “personal negligence and irresponsibility” for the takedown.
They also said the bust was triggered by the recent theft of data from government systems in Fulton County, Georgia.
“The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election,” the message claimed.
Then came the suspicious political declaration:
“Personally I will vote for Trump,” they said.
Cybersecurity experts, however, doubt that LockBit’s leader is a US citizen. Nonetheless, they’re extremely concerned about the group’s return.
What’s next for LockBit?
Analysts have spotted clear signs of LockBit resuming operations.
Tim Geschwindt, a senior associate on the cyber incident response team at security consultancy S-RM, said the hackers recovered their infrastructure over the weekend. To this, they used backup servers that weren’t compromised during last week’s takedown.
With the gang again open for business, LockBit affiliates are now returning to work. Several new incidents have been reported over the last 24-48 hours, Geschwindt said, while fresh victims are appearing on new sites.
“We expect LockBit are likely to return to pre-takedown levels of attack volume; however, it may take several weeks before they iron out issues with the new infrastructure, and ramp up their activity,” Geschwindt told TNW.
“Ultimately, despite several large takedowns in 2023 and early 2024, we have not seen a major dent in the number of global ransomware attacks or ransom payments.”