LockBit claims a comeback less than a week after major disruption
A website associated with the LockBit ransomware operation appeared online Saturday less than a week after a law enforcement operation disrupted dozens of servers associated with the group, underscoring the whack-a-mole nature of combatting high-profile ransomware operators.
The new LockBit website includes a list of alleged victims whose data the criminal group is threatening to leak if they don’t pay a ransom. That list includes mix of new and old targets, including government systems in Fulton County, Ga., where authorities earlier this month acknowledged dealing with a serious cybersecurity issue.
In a dubious, rambling message posted Saturday, LockBit administrators claimed that the Fulton County data was the reason the FBI pulled the trigger on the operation, given that the “stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”
“Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates,” the statement said, adding that LockBit was set to release the Fulton County documents the day law enforcement took the servers down.
Authorities in Fulton County are prosecuting former President Donald Trump on charges that he sought to overturn the results of the 2020 presidential election in Georgia.
It’s not clear whether LockBit, which until last week’s law enforcement operation ranked as the world’s most prolific ransomware group, is in possession of Trump-related files, and British authorities — who played a leading role in the takedown operation — said last week that the takedown operation began in 2022.
In their message on Saturday, LockBit administrators listed more than two dozen servers they claim contain victim data, as well as more than a dozen mirrors and half a dozen domains associated with the new blog.
The message added that the group believes its site was likely taken down utilizing a vulnerability in the server software PHP. The vulnerable version of the software had not been updated because “for 5 years of swimming in money I became very lazy,” the message read.
In a statement to CyberScoop Tuesday, the NCA said it was “able to compromise their entire criminal operation,” and that LockBit remains “completely compromised.” The agency assumed the group would “attempt to regroup,” but also “gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”
The FBI did not respond to questions about LockBit’s apparent return.
LockBitSupp, the point of contact for public questions to the group, did not respond to a series of questions sent Monday afternoon.
The exact extent to which LockBit’s services are once more available to criminal hackers remained unclear as of Monday, but researchers who study ransomware communities said the attempt by LockBit to resuscitate its operations came as no surprise.
“Nobody would let a multi-million dollar business go down without a fight,” Brett Callow, a threat analyst with Emsisoft, told CyberScoop Monday. Callow cautioned that LockBit’s “claims seem implausible and reek of desperation” and added that “in all likelihood the Lockbit brand is dead.”
“No smart affiliate will want to work with an operation that was so completely compromised and, for that matter, is quite probably still completely compromised,” he said.
Callow said that LockBit’s comeback shows “the whack-a-mole nature of the fight against ransomware.” In December, the FBI seized some servers associated with the ransomware gang ALPHV, only to have the group claim hours later to have “unseized” them and resumed operations.
“Unless arrests are made, groups will not stay down,” Callow said. “We saw this with ALPHV, and we’re seeing it now with LockBit.”
As part of last week’s operation against LockBit, authorities arrested three men, one in Poland and a father and son in Ukraine, for their alleged roles in LockBit activities.
The primary administrator of the group, known online as LockBitSupp, appears to remain at large. Law enforcement authorities had said they would reveal LockBitSupp’s identity on Friday but instead posted a message saying they knew where he was, the car he drove, and how much money he has. The authorities also said that LockBitSupp had “engaged with Law Enforcement,” perhaps as a means to undermine the group’s reputation in the cybercrime ecosystem.
The U.S. State Department has offered up to $15 million in rewards for information leading to the identification and/or arrest of LockBit leadership or people engaging in LockBit-related attacks.
Adam Hickey, the former deputy assistant attorney general with the Department of Justice’s National Security Division, told CyberScoop last week that while takedowns are valuable, law enforcement operations alone won’t eliminate the ransomware phenomenon.
“You have certain nations unwilling to apply fairly uncontroversial, neutral rules about what is criminal behavior on the internet to their own citizens if it suits their purpose,” Hickey said. “If the people who do this aren’t ultimately arrested and held accountable by their government or ours, there will continue to be a market for this.”
Updated Feb. 27, 2024: This article has been updated to include a statement from the National Crime Agency.
