The LockBit ransomware group has announced its return after a global police crackdown led by Operation Cronos. Despite law enforcement efforts to dismantle the group’s infrastructure and seize assets, LockBit has relaunched on a new platform, continuing to threaten and carry out cyberattacks. The group’s defiance comes after the FBI’s alleged use of a vulnerability to infiltrate their servers, which has led to a mix of resistance and continued criminal activity from the group.
Key Insights
- LockBit, a Russian-speaking ransomware group, has reactivated its darknet leak site after a global police crackdown.
- The group’s leader claimed that the FBI used a vulnerability, CVE-2023-3824, to infiltrate their servers.
- LockBit swiftly solved the vulnerability and has remained defiant against police takedown efforts.
- Operation Cronos involved multiple took place just a week back and allowed LE access to decryption keys, source codes, and cryptocurrency wallets owned by Lockbit.
- The FBI has declined to comment on the recent developments.
- Speculation exists around the identity of the LockBit leader, known as LockBitSupp, with suggestions of connections to the Russian security apparatus.
- LockBit has already targeted over 2,000 victims and obtained over $120 million in ransom payments.
- LockBit has posted new victim entries on its relaunched site, including one for Fulton County, Georgia.
- Operation Cronos resulted in the seizure of 34 servers and over 200 cryptocurrency wallets linked to LockBit. It’s uncertain whether that’s been resolved on Lockbit’s side.
A week after the FBI announced their successful “Lockbit Takedown,” Lockbit’s leaders bounced back. These events came about on a Saturday afternoon, with a detailed declaration allegedly from the group’s leader. In this declaration, the group’s leader stated that they would not back down or leave any of their criminal activities, even though law enforcement has recently targeted them and their illegal activities.
In the statement, the leader of LockBit stated that the FBI might have made use of a vulnerability identified as CVE-2023-3824 in the PHP web-scripting language to infiltrate the ransomware-as-a-service operation’s servers.
“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement, which was published in English and Russian.
LockBit Defies Police Takedown Efforts
The vulnerability was not patched by LockBit, and the leader admitted to becoming complacent due to the operation’s financial success over the past five years. Law enforcement did not make any advances to take down the backup servers that did not have PHP installed, LockBit said:
“All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid,”
The leader’s message came across as strong, accusing the FBI of attempting to undermine the reputation of the LockBit’s affiliate program and also demoralize him. With the aim of forcing him to abandon his activities. This did not work on the leader, as he stated that such efforts would not scare him, asserting his continued involvement in criminal activities as long as he was alive.
This comes in the wake of actions by British, U.S., and European law enforcement agencies under Operation Cronos, which saw the initial takedown of the LockBit website and announcements regarding the seizure of decryption keys, source code, and cryptocurrency wallets.
The Response and Continued Speculation Around Its Leader
The FBI declined to comment on this afternoon’s developments according to the Information Security Media Group
The Law enforcement agencies that are behind the takedown, acting under the banner of Operation Cronos, said that they would reveal the identity of LockBit leader LockBitSupp, but did not.
“We know who he is. We know where he lives. We know how much he is worth.”
Although there was anticipation for the reveal of the LockBit leader’s identity, law enforcement chose to release a statement saying that knowledge of the leader’s identity and whereabouts was stopped short of possible public disclosure.
Speculation by Yelisey Bohuslavskiy, who is the chief research officer at RedSense, suggested that the leader known as LockBitSupp, might have been associated with the Russian security apparatus since 2021. Allan Liska, a principal intelligence analyst at Recorded Future, commented on the significant impact of the takedown on LockBit and its leader, suggesting that the operations, so-called invincibility have now been effectively challenged.
“LockBit has been seriously damaged by this takedown and his air of invincibility has been permanently pierced. Every move he has taken since the takedown is one of someone posturing, not of someone actually in control of the situation,” said Allan Liska.
The revived leak site posted entries of victims, including one for Fulton County, Georgia, emphasizing and highlighting LockBits claimed responsibility for a January attack on country systems. The operation also alleges that the FBI’s takedown was somewhat motivated by a desire to bring a stop to the leak of documents stolen from Fulton County.
The FBI might have made use of a zero-day vulnerability in PHP to creep into the LockBit server, capturing the ransomware decryptors 1,000 out of 20,000. This action appears to have been aimed at stopping the group from leaking sensitive documents.
LockBit’s statement further claimed that the FBI’s operation only captured a fraction of the ransomware decryptors and other data, emphasizing that the names of nearly 200 affiliates listed have no real connection to their actual online identities.
The Path to Recovery
The operation announced plans to make future takedowns more difficult by decentralizing its hosting. Jon DiMaggio, a ransomware tracker and chief security strategist at Analyst1, gave a critical view of LockBitSupp’s statements, warning again that fully believed what was said. He pointed out that even though LockBit is trying to make a comeback, the damage that was already done to its reputation might slow down the recovery process.
This comeback of LockBit, underscored by a mix of resistance and alleged law enforcement engagement, shows a complex chapter in the ongoing battle between cyber criminals and international law enforcement agencies.