LockBit ransomware returns and resumes its ransomware activities on a new infrastructure shortly after their servers were compromised by law enforcement.
LockBit ransomware have expressed their intention to increase its focus on targeting the government sector. In a message resembling an FBI leak, the gang admitted their negligence in allowing the breach and outlined their plans for future operations.
LockBit Ransomware Returns and Affiliates Continue Attacks
LockBit has returned and resumed its ransomware operations following the disruption by law enforcement in Operation Cronos. In a damage control communication, the gang acknowledged their own negligence and irresponsibility as the root cause of the intervention.
To maintain their brand name, LockBit has relocated its data leak site to a new .onion address. The updated site now features a list of five victims along with countdown timers indicating when their stolen information will be published.
On February 19, authorities successfully dismantled LockBit’s infrastructure, which consisted of 34 servers hosting the data leak website and its mirrors, as well as containing stolen data, cryptocurrency addresses, decryption keys, and the affiliate panel.
Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.
Now, LockBit ransomware returns to operation just five days after the previous disruption. In their recent communication, they have shared information regarding the breach and outlined their strategies for reinforcing their infrastructure to minimize the risk of future hacking attempts. Their aim is to enhance the security measures in place to safeguard their operations.
Relaunched LockBit data leak site showing victims
Source: BleepingComputer
LockBit Was Taken Down by Law Enforcement as a Result of an Outdated PHP Server
According to LockBit, they attribute the breach of their two main servers to the collective actions of law enforcement, whom they refer to as the FBI. LockBit acknowledges their own negligence, stating that after enjoying financial success for five years, they became complacent and lazy in their security practices.
“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.”
The LockBit threat actor reveals that the victim’s admin and chat panels server, as well as the blog server, were running PHP 8.1.2 and were likely compromised through a critical vulnerability identified as CVE-2023-3824.
LockBit has taken steps to update the PHP server and has even offered a reward to individuals who can identify vulnerabilities in the latest version.
Regarding the motive behind the supposed hacking by the FBI, the cybercriminal speculates that it may be connected to the LockBit ransomware attack on Fulton County in January. This attack had the potential to expose sensitive information, including details related to Donald Trump’s court cases, which could have influenced the upcoming US election.
LockBit’s infrastructure, consisting of 34 servers hosting the data leak website, its mirrors, stolen data from victims, cryptocurrency addresses, decryption keys, and the affiliate panel, was successfully dismantled by authorities on February 19.
Following the takedown, the gang acknowledged the breach and clarified that only the servers running PHP were affected, while their backup systems without PHP remained unaffected.
Just five days later, LockBit has resumed its operations and has shared specifics about the breach. They also outlined their plans to enhance the security of their infrastructure, aiming to make it more resilient against potential hacking attempts in the future.
LockBit has come to the conclusion that targeting the government sector more frequently could potentially expose the capabilities of law enforcement, specifically the FBI, to retaliate against the gang.
The threat actor reveals that law enforcement managed to obtain certain assets, including a database, web panel sources, locker stubs that are not classified as source code as claimed, and a limited number of unprotected decryptors.
LockBit Plans to Upgrade Infrastructure and Their Decryptors
During Operation Cronos, authorities managed to acquire over 1,000 decryption keys. LockBit claims that these keys were obtained from “unprotected decryptors,” which refers to specific versions of their file-encrypting malware that did not have the “maximum decryption protection” feature enabled.
These versions were typically used by low-level affiliates who targeted smaller ransoms of around $2,000. It is worth noting that the server contained nearly 20,000 decryptors, which accounts for about half of the approximately 40,000 decryptors generated throughout the entire lifespan of the operation.
LockBit has outlined its plans to enhance the security of its infrastructure. As part of these efforts, they intend to transition to a manual release system for decryptors and trial file decryptions.
Additionally, they will host the affiliate panel on multiple servers, granting their partners access to different copies based on their trust level. These measures aim to improve overall security and mitigate potential risks within the LockBit operation.
“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced”