LockBit Ransomware Group Restores Servers Following Law Enforcement Takedown
Last week, 32 servers, the affiliate portal, and the data leak site used by the LockBit ransomware group were seized following an international law enforcement operation; however, the takedown appears to have been short-lived, as the LockBit dark leak data leak site has now been re-established. The LockBit group has also posted a lengthy explanation of what happened along with the group’s plans for future attacks. The post explains that the takedown will not affect operations and that LockBit attacks would continue, with more attacks conducted on the government sector.
Operation Cronos was a collaboration between law enforcement agencies in the United States, United Kingdom, and Europe. In a series of announcements last week, details of the success of the operation were announced. LockBit source code, cryptocurrency wallets, and decryption keys were obtained, and a decryptor was released that would allow victims of LockBit attacks to recover their encrypted files. The UK’s National Crime Agency also threatened to reveal the identity of LockButSupp, the supposed leader of the operation, on Friday, although that information was not released. Instead, the leak site had a statement added about the identity of LockBitSupp. “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with law enforcement :)”
In the post, the LockBit group explained that the actions of the FBI and the other law enforcement agencies that participated in Operation Cronos were intended to intimidate and scare the group into shutting down operations, but the group was defiant and claimed the attacks would continue, despite the takedown. “I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid,” said LockBitSupp in the post. He boasted about the money he had earned and said that the wealth accrued and the luxuries that could be afforded did not bring nearly as much satisfaction as running the LockBit operation.
The LockBit group said the FBI most likely exploited a PHP vulnerability, CVE-2023-3824, to gain access to the LockBit servers. “I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can’t be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims’ admin and chat panel servers and the blog server were accessed.” LockBitSupp said the failure to patch was due to “personal negligence and irresponsibility.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The LockBit group also confirmed that backup servers that didn’t have PHP installed were not compromised or seized and that the takedown was timed to prevent the release of documents stolen in the attack on Fulton County in Georgia in January, which could affect the outcome of the upcoming U.S. Presidential election. The attack saw data from the county court and tax systems stolen, and Fulton County is where a lawsuit against Donald Trump and 18 codefendants is being heard over the alleged attempts to overturn the 2020 election.
In the post, LockBit said the takedown was not as extensive as it was made to appear. Only around 1,000 ransomware decryptors were obtained, yet there were around 20,000 on its servers, that the list of LockBit affiliates that was obtained and published does not include any real nicknames or monikers used in forums, and in response to the attack, changes would be made to make any future attempted takedowns even harder, such as decentralizing the hosting of its administrative panel. The group also claimed that the reason it took four days to recover was due to an incompatibility with the latest version of PHP, which required the source code to be edited.
The core members of the LockBit group are believed to reside in Russia, where they are tolerated as long as their activities align with the goals of Russia and they do not conduct attacks within Russia or in any of the Commonwealth of Independent States (CIS). Russia does take action against threat actors that violate those rules of operation. Recently, Russia announced that three members of the SugarLocker ransomware group had been arrested for conducting attacks within Russia and CIS nations; however, no action is likely to be taken against any members of the LockBit group.
The LockBit takedown has disrupted LockBit operations and damaged the group’s reputation within the cybercriminals community. The long post explaining the attack and the actions that will be taken in the future appears to be damage control and an attempt to restore the reputational damage caused, but affiliates could well decide that now is the time to switch to an alternative ransomware-as-a-service operation. Time will tell how quickly, and to what extent, LockBit will be able to recover but it currently looks unlikely that the group will be able to quickly return to its previously held position of the most dangerous and prolific ransomware operation.
