Servers Restored by LockBit Ransomware Group After Law Enforcement Takedown

In mid-February, the LockBit ransomware group affiliate portal, its data leak site, and 32 servers were seized after a worldwide law enforcement operation; nonetheless, the takedown seems short-lived, seeing that the LockBit data leak website is now re-established. The LockBit group has likewise put up a lengthy write-up regarding what occurred along with the group’s plans for future operations. The post clarifies that the seizure will not stop operations and that LockBit will continue with more ransomware attacks executed on the government sector.

Operation Cronos was a venture between law enforcement organizations in the United Kingdom, the United States, and Europe. A series of notices announced the accomplishment of the operation. LockBit source code, decryption keys, and cryptocurrency wallets were seized, and a decryptor was provided that would enable LockBit attack victims to retrieve their encrypted files. The National Crime Agency of UK likewise threatened to expose the identity of LockButSupp, believed to be the boss of the operation, although that data was not given. Instead, the leak site had a notice concerning the identity of LockBitSupp.

In the notice, the LockBit group mentioned that the campaign of the FBI and the other law enforcement bureaus that joined Operation Cronos were meant to intimidate and frighten the group into shutting down operations, however, the group was defiant and said the attacks would keep going, despite the takedown. The group boasted about the money it had made and stated that the wealth accumulated and the luxuries that could be bought did not bring nearly as much fulfillment as running the LockBit operation.

The LockBit group mentioned the FBI most likely used a PHP vulnerability, CVE-2023-3824, to acquire access to the servers of LockBit. It may not be this CVE, though something else such as 0-day for PHP. This is likely how the victims’ blog server, chat panel server, and administrator account were accessed. LockBitSupp stated the failure to patch was because of irresponsibility and personal negligence.

The LockBit group at the same time stated that backup servers that didn’t have PHP installed were not breached or taken and that the takedown was timed to stop the exposure of files stolen from Fulton County in Georgia during a ransomware attack last January, which can affect the result of the forthcoming U.S. Presidential election. The attack resulted in the theft of information from the county court and tax systems. Fulton County is the place that hears a lawsuit against Donald Trump and 18 codefendants over the supposed efforts to overturn the 2020 election.

In the write-up, LockBit mentioned the takedown was not as comprehensive as it seemed. Only about 1,000 ransomware decryptors were taken, yet its servers have close to 20,000, that the listing of LockBit affiliates that was obtained and posted does not consist of any real nicknames or monikers utilized in forums, and in reply to the attack, modifications would be done, for example decentralizing the hosting of its administrative panel, to make any attempted takedowns later even more difficult. The group additionally stated that the recovery took four days to finish due to an incompatibility with the most recent PHP version, which required an edited source code.

The LockBit group core members are believed to live in Russia, where privacy violations are tolerated so long as their activities align with the objectives of Russia and they do not carry out attacks inside Russia or in any of the Commonwealth of Independent States (CIS). Russia acts against threat actors that break those |operating rules. Recently, Russia said that three members of the SugarLocker ransomware gang were caught for attacks inside of Russia and CIS nations; nevertheless, no action will probably be taken against any LockBit group member.

The LockBit seizure has interrupted LockBit operations and harmed the group’s track record within the cybercriminal community. The long post detailing the attack and the steps that will be taken later on appears to be disaster control and an attempt to recover the reputational damage caused, but affiliates could now decide to move to a different ransomware-as-a-service operation. Only time will tell how quickly, and to what degree, LockBit can recover however it currently looks improbable that the group will be able to quickly return to its formerly held position as the most dangerous and high-profile ransomware gang.