Days after it was knocked offline by a sweeping, years-in-the-making law enforcement operation, the infamous Russia-based LockBit ransomware group has returned to the darkish internet with a brand new leak web site full with numerous new victims.
In a verbose, borderline-rambling assertion printed Saturday, the remaining LockBit administrator blamed its personal negligence for final week’s disruption. A world legislation enforcement effort launched an operation that hijacked the ransomware gang’s infrastructure by exploiting a vulnerability in LockBit’s public-facing web sites, together with the darkish internet leak web site that the gang used to publish stolen information from victims.
“Operation Cronos,” because the feds dubbed it, additionally noticed the takedown of 34 servers throughout Europe, the U.Ok., and the U.S., the seizure of greater than 200 cryptocurrency wallets, and the arrests of two alleged LockBit members in Poland and Ukraine.
Simply 5 days on, LockBit introduced that its operations had resumed, claiming to have restored from backups unaffected by the federal government takedown. In its assertion, LockBit’s administrator threatened to retaliate by saying it could goal the federal government sector.
A spokesperson for the Nationwide Crime Company, which led Operation Cronos, advised TechCrunch on Monday following LockBit’s return that its takedown operation “successfully infiltrated and took control of LockBit’s systems, and was able to compromise their entire criminal operation.”
“Their systems have now been destroyed by the NCA, and it is our assessment that LockBit remains completely compromised,” the NCA mentioned.
Regulation enforcement claiming overwhelming victory whereas the obvious LockBit ringleader stays at massive, threatening retaliation, and targeting new victims places the 2 at odds — for now. With greater than a dozen new victims claimed since its brazen relaunch, LockBit’s demise might need been overstated.
Because the cat-and-mouse sport between the feds and the criminals rolls on, as does the combating speak — and the daring claims from each side.
Whereas the NCA promised a giant reveal of the gang’s long-standing chief, who goes by the title of “LockBitSupp,” the company disclosed little concerning the administrator in a publish to LockBit’s personal compromised darkish internet leak web site on Friday.
“We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :),” the vaguely worded NCA message learn.
U.S. legislation enforcement companies have additionally supplied a multi-million greenback reward for particulars “leading to the identification or location of any individual(s) who hold a key leadership position” within the LockBit gang — suggesting the authorities both don’t have that info or can’t but show it.
With the obvious administrator LockBitSupp nonetheless in motion — the final remaining piece of the LockBit puzzle — it’s unlikely LockBit goes away. Ransomware gangs are identified to rapidly regroup and rebrand even after legislation enforcement disruption claims to have taken them down for good.
Take one other Russia-based ransomware gang: ALPHV, also called BlackCat, final 12 months was dealt the same blow when law enforcement agencies seized its dark web leak site and launched decryption keys so victims might regain entry to stolen information. Simply days later, the ALPHV introduced it “unseized” its leak web site and claimed the FBI solely had decryption keys for 400 or so corporations — leaving greater than 3,000 victims whose information stays encrypted.
On the time of writing, ALPHV’s leak web site stays up and working — and continues so as to add new victims virtually each day.
Different ransomware gangs, equivalent to Hive and Conti, have confronted related legislation enforcement motion lately, however are mentioned to have merely rebranded and reformed beneath totally different names. Members of Conti are mentioned to be working beneath the brand new Black Basta, BlackByte, and Karakurt teams, whereas former Hive members rebranded as a brand new ransomware operation dubbed Hunters Worldwide.
The LockBit takedown, whereas hailed by many as probably the most important lately, is unlikely to be a lot totally different — and the indicators are already there.
In its long-winded publish, LockBit claimed that legislation enforcement solely obtained a handful of decryptors, arrested the fallacious folks, and didn’t take down the entire web sites beneath its management. LockBit additionally vowed that in mild of the operation, it could improve the safety of its infrastructure, manually launch decryptors, and proceed its associates program.
“No FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work,” LockBit’s rant continued. “They want to scare me because they cannot find and eliminate me, I cannot be stopped.”
The NCA advised TechCrunch that the company “recognized LockBit would likely attempt to regroup and rebuild their systems” however acknowledged that the company’s work continues to disrupt the group.
“We have gathered a huge amount of intelligence about them and those associated with them, and our work to target and disrupt them continues,” mentioned NCA spokesperson Richard Crowe.
Regulation enforcement’s acknowledgment that it’s nonetheless working to disrupt the gang tells us all we have to know: LockBit isn’t useless but, and it seemingly by no means was.
