LockBit restarted its operations after receiving a crackdown from police forces last week. The ransomware group launched a new website over the weekend to extort the victims it makes. However, the conclusion about the international action against LockBit is positive. How does the operation impact the operations of the ransomware group?
Update, 29/2, 10:05 am: LockBit’s operations appear to continue with updated encryptors. In addition, new servers are already active, as is evident from the ransom messages that new victims received. The servers run the infrastructure for the new leak site and for the website on which negotiations between the ransomware group and victims take place.
Original, 26/2,12:10 pm: LockBit restarted its operations last Saturday. It set up a new website where it extorts victims. This is done by listing the names of organizations whose data was stolen with LockBit ransomware. The victim’s name is accompanied by a countdown timer that shows how much time the victim has left to pay the ransom. After the time expires, the hacker collective proceeds to make the stolen data public. Five new victims are already listed on the new .onion website.
Recovering from Operation Cronos
Last week, police forces were able to take over the ransomware group’s earlier leak site. Several international police forces, including Europol and several national police departments from EU member states, tackled 34 servers for this purpose. The joint action was named Operation Cronos.
Europol already announced after the operation that further actions are needed to stop LockBit. The ransomware group appears to have recovered quickly from the international action. The hacker collective had already shared after the takedown of the website that not all servers were involved in the international action, only those running on the PHP programming language.
In a new message, it now cites how it was possible for police forces to take over the website. Thus, two crucial servers appear to have been taken over by a critical vulnerability in PHP 8.1.2. “Because of my personal negligence and irresponsibility, I have relaxed and did not update PHP in time,” writes the LockBit blogger. “The new servers are now running the latest version of PHP 8.3.3.” A link to the full post was shared by BleepingComputer.
Better security decryption keys
Operation Cronos had further taken control over 1,000 decryption keys. According to LockBit, these were keys that were not maximally secured and were often used in smaller ransomware attacks where the ransom was no more than $2,000. “There were about 20,000 decryptors on the server, most of which were secured and thus cannot be used by the FBI,” LockBit said.
In the future, the ransomware group still plans to secure these keys better by manually issuing them and placing fewer copies with users of LockBit’s Ransomware-as-a-Service.
Regarding the arrests, the blogger says he is not impressed. The arrests would involve random individuals not linked to LockBit’s operations. The FBI is being asked to provide evidence about the link to LockBit to prove otherwise.
Message to FBI
Operation Cronos was a joint operation from Europol, the FBI, the National Crime Agency of the UK and several national police departments. The hacker collective decided to only speak of the FBI in the message because of the reasons for the attack, according to LockBit. For example, a recent ransomware attack allegedly captured information that included information about the just concluded lawsuits against Donald Trump “that could affect the upcoming U.S. election.”
The hacker collection had intentions of making the stolen documents public as recently as Tuesday “as negotiations already stalled.” However, those plans were thwarted by Operation Cronos, an action launched by the FBI to take revenge on the recent ransomware attack, as LockBit sees it. The hacker collective, in turn, plans to launch more ransomware actions against governments.
Operation Cronos a success after all
Now that LockBit has continued its operations elsewhere, Operation Cronos may seem to have been a wasted effort. Europol was not naive, however, and was already anticipating a resurgence. However, the action did damage LockBit’s image, Robert McArdle told ITWire. “We know that no right-thinking criminal would want to be involved with the group again.” McArdle is a cybercrime researcher at Trend Micro. The company was involved in the police action.
So, police forces thus used a trick that LockBit cybercriminals know all too well. By publicly inflicting damage and publicly disclosing that damage, the credibility of LockBit’s security has taken some damage. The ransomware group was not found to be unreachable by law enforcement agencies. That damages the trust of partners even if the ransomware group’s operations are set back up.
This works just as it does for organizations that are hit by ransomware and thus prove to be unable to withstand cybersecurity incidents. Even if all the victims know how to recover all the data after a ransomware attack, partners are left wondering when the next ransomware attack will occur. For LockBit, partners will now wonder when law enforcement agencies will next take successful action against the ransomware group and how extensive the damage will be in the future.
Also read: LockBit ransomware is hampered by police departments, but won’t stop -update
18 hours ago
