Data ransom Operator LockBit has resurfaced on a new dark web leak site just days after a joint law enforcement operation took control of the group's infrastructure.
By moving to a new .onion address hosted on new servers, the collective appears to be back up and running and has already populated its new leak site with several new victims.
These are assumed to be targets of its most recent operations that were interrupted by the shootdown on Tuesday, February 20.
In a signed PGP message distributed through its new domain, LockBit's administrator claimed that the removal was only possible due to carelessness on its part, primarily by not updating its servers running the PHP programming language.
“Due to my personal negligence and irresponsibility, I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully tested, probably by this CVE, as a result of which access was gained to the two main servers where this version of PHP was installed.”
speaking to ITProMatt Middleton-Leal, EMEA managing director at IT security specialist Qualys, said that like legitimate businesses, hacking groups must also observe good cyber hygiene and apply patches regularly to avoid takedowns like this.
“All organizations need to stay up-to-date with patches to their IT assets. Hacker groups are no exception. While there was an oversight on your part to keep up to date, it is not uncommon. “It's the exact same problem that IT teams consider as risks in their organizations every day.”
The group claims that the operation only affected its servers running PHP, so none of its backup systems were affected, and the collective claims that stolen data stored on these systems will continue to be published.
The message also questions the claim that authorities were able to access around 1,000 decryptors, some of which were posted on the compromised leak site.
The group added that even if the figure was accurate, it would only reflect a fraction of the decryptors it had produced since it began operating.
“Please note that the vast majority of unprotected decryptors come from partners who brute force encryption dedications and spam individual computers, charging ransoms of $2000, meaning even if the FBI has 1000 decryptors, they are of little use, The main thing is that they did not obtain all the decryptors for the entire 5 years of operation, the number of which is approximately 40000,” the gang said.
“It turns out that the FBI was only able to get hold of 2.5% of the total number of decryptors, yes, it is bad, but it is not fatal.”
Will LockBit's resurgence last?
There is evidence that cyber gangs persist long after they have been targeted by police operations.
In October 2023, security researchers warned that hackers affiliated with the Qakbot malware family were still a widespread threat after a police takedown in August of that year.
The resurgence raised questions about the effectiveness of takedowns of this nature, with similar examples involving the The emotion The botnet reappears online four months after being “shut down” in November 2021.
Middleton-Leal explained that he believes it will take more than a one-time operation to take down a group the size of LockBit.
“It is better to think of Lockbit as a well-organized and well-funded company than as a gang of hackers. The fact that the agencies have managed to turn them around is a fantastic achievement, but this type of removal will have to be an ongoing activity and not a one-off event.”
But Middleton-Leal said she expects there to be a period of downtime before members can get back on their feet.
“It will take some time for dissident organizations or their affiliates to emerge and become effective again, as they will need to modify their techniques. That said, ransomware companies depend on them to continually transform their attack methodologies.”
Dr. Ilia Kolochenko, CEO and chief architect of ImmuniWeb and associate professor of cybersecurity and cyber law at Capital Technology University agreed, noting that groups the size of LockBit are not easily dismantled through one-off operations.
“The resurrection is not surprising: LockBit is a mature, well-organized and experienced cybercrime group that cannot be easily dismantled compared to smaller ransomware entities that were elegantly crushed by joint law enforcement operations in 2023”
But Kolochenko suggested there may still be hope that the deal will bear more lasting fruit in terms of shutting down LockBit for good.
“However, according to information published by the media and law enforcement, the latter managed to obtain a complete list of victims, payments and other details of the LockBit ransomware empire,” Kolochenko noted.
“Firstly, this data can potentially serve as invaluable intelligence for future investigations that may eventually expose the whereabouts and identities of LockBit members. Secondly, it is interesting whether law enforcement agencies will now pass the collected information to other national authorities to eventually investigate LockBit victims.”