Return of the Lockbit: LockBit Ransomware Returns and ReLaunches Its Dark Web Leak Site

Written by Mitchell Langley

February 26, 2024

Insomniac Investigates Games Rhysida Ransomware Data Breach and Alerts Employees

LockBit ransomware returns and resumes its ransomware activities on a new infrastructure shortly after their servers were compromised by law enforcement.

LockBit ransomware have expressed their intention to increase its focus on targeting the government sector. In a message resembling an FBI leak, the gang admitted their negligence in allowing the breach and outlined their plans for future operations.

LockBit Ransomware Returns and Affiliates Continue Attacks

LockBit has returned and resumed its ransomware operations following the disruption by law enforcement in Operation Cronos. In a damage control communication, the gang acknowledged their own negligence and irresponsibility as the root cause of the intervention.

To maintain their brand name, LockBit has relocated its data leak site to a new .onion address. The updated site now features a list of five victims along with countdown timers indicating when their stolen information will be published.

On February 19, authorities successfully dismantled LockBit’s infrastructure, which consisted of 34 servers hosting the data leak website and its mirrors, as well as containing stolen data, cryptocurrency addresses, decryption keys, and the affiliate panel.

Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.

Now, LockBit ransomware returns to operation just five days after the previous disruption. In their recent communication, they have shared information regarding the breach and outlined their strategies for reinforcing their infrastructure to minimize the risk of future hacking attempts. Their aim is to enhance the security measures in place to safeguard their operations.

Return of the Lockbit: LockBit Ransomware Returns and ReLaunches Its Dark Web Leak Site

Relaunched LockBit data leak site showing victims

Source: BleepingComputer

LockBit Was Taken Down by Law Enforcement as a Result of an Outdated PHP Server

According to LockBit, they attribute the breach of their two main servers to the collective actions of law enforcement, whom they refer to as the FBI. LockBit acknowledges their own negligence, stating that after enjoying financial success for five years, they became complacent and lazy in their security practices.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.”

The LockBit threat actor reveals that the victim’s admin and chat panels server, as well as the blog server, were running PHP 8.1.2 and were likely compromised through a critical vulnerability identified as CVE-2023-3824.

LockBit has taken steps to update the PHP server and has even offered a reward to individuals who can identify vulnerabilities in the latest version.

Regarding the motive behind the supposed hacking by the FBI, the cybercriminal speculates that it may be connected to the LockBit ransomware attack on Fulton County in January. This attack had the potential to expose sensitive information, including details related to Donald Trump’s court cases, which could have influenced the upcoming US election.

LockBit’s infrastructure, consisting of 34 servers hosting the data leak website, its mirrors, stolen data from victims, cryptocurrency addresses, decryption keys, and the affiliate panel, was successfully dismantled by authorities on February 19.

Following the takedown, the gang acknowledged the breach and clarified that only the servers running PHP were affected, while their backup systems without PHP remained unaffected.

Just five days later, LockBit has resumed its operations and has shared specifics about the breach. They also outlined their plans to enhance the security of their infrastructure, aiming to make it more resilient against potential hacking attempts in the future.

LockBit has come to the conclusion that targeting the government sector more frequently could potentially expose the capabilities of law enforcement, specifically the FBI, to retaliate against the gang.

The threat actor reveals that law enforcement managed to obtain certain assets, including a database, web panel sources, locker stubs that are not classified as source code as claimed, and a limited number of unprotected decryptors.

LockBit Plans to Upgrade Infrastructure and Their Decryptors

During Operation Cronos, authorities managed to acquire over 1,000 decryption keys. LockBit claims that these keys were obtained from “unprotected decryptors,” which refers to specific versions of their file-encrypting malware that did not have the “maximum decryption protection” feature enabled.

These versions were typically used by low-level affiliates who targeted smaller ransoms of around $2,000. It is worth noting that the server contained nearly 20,000 decryptors, which accounts for about half of the approximately 40,000 decryptors generated throughout the entire lifespan of the operation.

LockBit has outlined its plans to enhance the security of its infrastructure. As part of these efforts, they intend to transition to a manual release system for decryptors and trial file decryptions.

Additionally, they will host the affiliate panel on multiple servers, granting their partners access to different copies based on their trust level. These measures aim to improve overall security and mitigate potential risks within the LockBit operation.

“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced”

Related Articles

Daixin Ransomware Claims Omni Hotels Cyberattack

Daixin Ransomware Claims Omni Hotels Cyberattack

The Daixin Team ransomware gang has taken responsibility for a recent cyberattack on Omni Hotels & Resorts and is currently issuing threats to publish sensitive customer information unless a ransom is paid. This development comes after the hotel chain experienced...

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!