LockBit Ransomware Resurfaces Post Police Disruption; Threatens Greater Focus on Government Sector

February 25, 2024

The LockBit ransomware group has revived its operations on a fresh infrastructure, following a disruption by law enforcement agencies less than a week ago. The group has warned of a heightened focus on the government sector for their forthcoming attacks.

In a message designed to mimic an FBI leak to draw attention, the group released a lengthy communication discussing the breach that led to their disruption and their future plans. They acknowledged that 'personal negligence and irresponsibility' allowed law enforcement to interfere in their activities during Operation Cronos.

The LockBit gang retained their brand name and moved their data leak site to a new .onion address. This site lists five victims with timers counting down to the release of stolen information. On February 19, authorities dismantled LockBit’s infrastructure, which included 34 servers hosting their data leak website, mirrors, stolen data, cryptocurrency addresses, decryption keys, and the affiliate panel.

Post the takedown, the group confirmed the breach, clarifying that only servers running PHP were lost, while backup systems without PHP remained unaffected. Five days later, LockBit re-emerged, providing details about the breach and their plans to fortify their infrastructure against future attacks.

LockBit attributed the breach to their own complacency and failure to update PHP in time. They revealed that the main servers breached by law enforcement, referred to as the FBI, were running PHP 8.1.2 and were likely exploited using a critical vulnerability tracked as CVE-2023-3824. They have since updated their PHP server and offered rewards for anyone who can identify vulnerabilities in the latest version.

The group speculated that the FBI targeted their infrastructure due to a ransomware attack on Fulton County in January, which threatened to leak sensitive information related to Donald Trump's court cases that could influence the upcoming US elections. This has led LockBit to believe that by increasing attacks on the government sector, they can test the FBI's abilities to counter their activities.

During Operation Cronos, authorities obtained over 1,000 decryption keys. LockBit claimed that these keys were from 'unprotected decryptors' and that nearly 20,000 decryptors were stored on the server, roughly half of the 40,000 generated throughout the operation's lifespan.

LockBit plans to enhance the security of its infrastructure, manually release decryptors, trial file decryptions, and host the affiliate panel on multiple servers. They intend to offer their partners access to different copies based on trust levels. LockBit's long message appears to be an attempt to regain credibility and control the damage to their reputation. Despite their efforts to restore the servers, their affiliates may remain skeptical.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.