Lockbit is far from dead. Only a few days after the police operation which decimated part of its infrastructure, the gang specializing in ransomware has resumed its activities. The pirates already claim around ten victims…
Last week, a major police operation hit the Lockbit hackers. The gang found itself deprived of most of its infrastructure, including around 30 servers and its sites on the dark web. In the process, two hackers, specializing in money laundering, were arrested in a small town in western Ukraine. According to press releases published by the FBI or the British authorities, the operation sounded the death knell for Lockbit, after years of malicious activity.
Very quickly, security experts came to qualify the bluster of the investigators. Although in bad shape, the gang specializing in ransomware is not completely dead. As expected, the group resurfaced. This weekend, less than a week after Operation Cronos, Lockbit posted a message on the dark web to take stock of its future, the causes of the offensive and its activities.
Also read: Powered by AI, ransomware is increasingly dangerous and active
Negligence at the origin of Operation Cronos
The message, relayed by our colleagues at Bleeping Computer, indicates that its servers have been restored. At the same time, the gang offered new Tor domains to carry out its operations. A new platform to publish the data of recalcitrant victims has mainly been put online on the dark web. In just a few days, the hackers put together a whole new infrastructure. As feared, cybercriminals still in the wild quickly set to work to restore Lockbit’s full capabilities.
Furthermore, Lockbit returned to the circumstances which allowed the police to organize their operation. The leader of the gang admits to having demonstrated “personal negligence” And “irresponsibility” neglecting to update Lockbit PHP servers in time. This oversight allowed police forces to exploit a security flaw in the PHP programming language. Lockbit does not know whether this is an unknown, zero-day breach, or a recently identified flaw. In any case, this is how the investigators infiltrated the Lockbit system. The gang promised to reward individuals who found a new breach in PHP’s code.
“The version installed on my servers was already known to have a known vulnerability, so this is most likely how the admin servers […] were consulted »says Lockbit.
According to cybercriminals, the FBI precipitated Operation Cronos following the ransomware attack on Fulton County (Georgia) in the United States. During this offensive, the ransomware caused serious computer outages while seizing a mountain of confidential documents. According to Lockbit, the virus mainly stole documents concerning “Donald Trump’s legal affairs”, likely to affect the next presidential elections. This is where the former president was arrested last summer, before being released. To prevent Lockbit from disclosing this sensitive data, the FBI would have accelerated the offensive against the gang. For the moment, there is nothing to support the hackers’ assertions.
Lockbit managers took advantage of this to depreciate the information obtained by the authorities at the end of Operation Cronos. According to the hackers, investigators were only able to obtaina handful of decryption keys present on the servers. Likewise, they reveal that information regarding affiliates’ nicknames is not representative of their pseudonyms on the rest of the dark web. This data therefore does not allow investigators to trace them back.
The gang’s message looks like a communications operation aimed at reassuring ransomware users and tempering the damage of the police offensive in terms of image. Unsurprisingly, Lockbit seeks to downplay the scale of Operation Cronos.
Already 12 new victims for Lockbit
Above all, it seems that Lockbit ransomware has already attacked new entities. On the new page dedicated to the dark web, hackers posted a list of twelve victims online this weekend. For example, there is a British company specializing in steel, an American aviation group, the FBI and even a French industrial logistics company. The website also lists a new attack on Fulton County.
Sophos researchers have also identified a barrage of new attacks using Lockbit 3.0 malware in recent days. The virus apparently exploited two vulnerabilities discovered in the code of ConnectWise ScreenConnect, a remote support software. Both of these flaws were promptly fixed by the developers, but not everyone has installed the patch yet. After investigation, Sophos revealed that it had spotted a very specific strain of Lockbit, called Lockbit Black.
Lockbit’s Revenge
In the future, Lockbit has vowed to attack US government sites in retaliation. According to the gang’s leaders, this strategy will force the FBI to put pressure on the hackers, which should ultimately make them stronger. With these various threats, Lockbit is showing its fangs and showing that it will not be defeated so easily.
? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Bleeping Computer