Security News LockBit ransomware disrupted by global police operation

Lymphocyte

Level 2
Thread author
Verified
Jul 22, 2014
63
Law enforcement agencies from 11 countries have disrupted the notorious LockBit ransomware operation in a joint operation known as ''Operation Cronos."

According to a banner displayed on the gang's data leak website, LockBit's dark web leak site is now under the control of the National Crime Agency of the United Kingdom.

"The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos," the banner reads.

"We can confirm that Lockbit's services have been disrupted as a result of International Law Enforcement action - this is an ongoing and developing operation."

While the leak site is no longer accessible, showing the seizure banner embedded below or an "Unable to connect" error saying the connection was refused, the ransomware gang's other dark web sites (including other sites used to host data and send private messages to the gang) are all still up.

The law enforcement agencies behind Operation Chronos are expected to publish a joint press release tomorrow at 12:30 CET.

LockBit seizure banner


The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019 and has since targeted a wide range of high-profile organizations worldwide,

LockBit's victim list includes the UK Royal Mail, the City of Oakland, the Continental automotive giant, and the Italian Internal Revenue Service.

Most recently, Bank of America warned customers their personal information was exposed in a data breach after Infosys McCamish Systems (IMS), one of its service providers, was hacked in an attack claimed by the LockBit ransomware gang.

Cybersecurity authorities in the United States and partners worldwide said in a joint advisory released in June that the LockBit gang has extorted at least $91 million from U.S. organizations following as many as 1,700 attacks since 2020.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
Police arrests LockBit ransomware members, release decryptor in global crackdown
As part of Operation Cronos, law enforcement also retrieved over 1,000 decryption keys from the seized LockBit servers. Using these decryption keys, the Japanese Police, the NCA, and the Federal Bureau of Investigation (FBI) developed a LockBit 3.0 Black Ransomware decryption tool with Europol's support.

This free decryptor is now available via the 'No More Ransom' portal. BleepingComputer contacted Europol to learn if the decryptor only helps LockBit victims after a certain date, but a response was not immediately available.
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,480
LONDON, UNITED KINGDOM — An international coalition of law enforcement agencies led by Britain’s National Crime Agency (NCA) have garnered so much intelligence after hacking LockBit’s infrastructure they are set to release more insights over the rest of this week, officials have said.

The ransomware gang’s website was replaced by a splashpage on Monday evening. During a press conference in London on Tuesday morning, the NCA’s director general, Graeme Biggar, announced his agency had “gained unprecedented and comprehensive access to LockBit’s systems.”

Officials said that while some fragmentary remnants of peripheral infrastructure might remain accessible to the criminals — prompting counter-claims by LockBit that the operation had simply exploited a PHP vulnerability — it was the position of the NCA, FBI and Europol that the LockBit service was completely destroyed by their operation.
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,480

1. LockBit didn’t delete victims’ data — even if they paid​

It’s long been suspected that paying a hacker’s ransom demand is a gamble and not a guarantee that stolen data will be deleted. Some corporate victims have even said as such, saying they “cannot guarantee” that their data would be erased.

The LockBit takedown has given us confirmation that this is absolutely the case. The NCA revealed that some of the data found on LockBit’s seized systems belonged to victims who had paid a ransom to the threat actors, “evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised,” the NCA said in a statement.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
LockBit ransomware secretly building next-gen encryptor before takedown
LockBit ransomware developers were secretly building a new version of their file encrypting malware, dubbed LockBit-NG-Dev - likely to become LockBit 4.0, when law enforcement took down the cybercriminal's infrastructure earlier this week.

As a result of the collaboration with the National Crime Agency in the UK, cybersecurity company Trend Micro analyzed a sample of the latest LockBit development that can work on multiple operating systems.
Trend Micro has published a deeply technical analysis of the malware, which reveals the full configuration parameters for LockBit-NG-Dev.

The discovery of the new LockBit encrypter is another blow law enforcement dealt to LockBit operators through Operation Cronos. Even if backup servers are still controlled by the gang, restoring the cybercriminal business should be a tough challenge when the source code for the encrypting malware is known to security researchers.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,556
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.

In a message under a mock-up FBI leak - specifically to draw attention, the gang published a lengthy message about their negligence enabling the breach and the plans for the operation going forward.

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication saying admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos.

The gang kept the brand name and moved its data leak site to a new .onion address that lists five victims with countdown timers for publishing stolen information.

On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.

Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.

Five days later, LockBit is back and provides details about the breach and how they’re going to run the business to make their infrastructure more difficult to hack.
 

enaph

Level 28
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,789
The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise seized control of its servers.

To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing.

The administrator behind LockBit, in a lengthy follow-up message, said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn't update PHP due to "personal negligence and irresponsibility."

"I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed," they noted.

They also claimed the U.S. Federal Bureau of Investigation (FBI) "hacked" their infrastructure because of a ransomware attack on Fulton County in January and the "stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming U.S. election."

In addition to calling for attacking the ".gov sector" more often, they stated that the server from which the authorities obtained more than 1,000 decryption keys held almost 20,000 decryptors, most of which were protected and accounted for about half of the total number of decryptors generated since 2019.

The group further went on to add that the nicknames of the affiliates have "nothing to do with their real nicknames on forums and even nicknames in messengers."

That's not all. The post also attempted to discredit law enforcement agencies, claiming the real "Bassterlord" has not been identified, and that the FBI actions are "aimed at destroying the reputation of my affiliate program."

"Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility," they said.

"I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free."

Russia Arrests Three SugarLocker Members#

The development comes as Russian law enforcement officials have arrested three individuals, including Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore, or JimJones), in connection with the SugarLocker ransomware group.

"The attackers worked under the guise of a legitimate IT firm Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers, and online stores," Russian cybersecurity firm F.A.C.C.T. said. "The company openly posted ads for hiring new employees."

The operators have also been accused of developing custom malware, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the Commonwealth of Independent States (CIS) nations.

SugarLocker first appeared in early 2021 and later began to be offered under the ransomware-as-a-service (RaaS) model, leasing its malware to other partners under an affiliate program to breach targets and deploy the ransomware payload.

Nearly three-fourths of the ransom proceeds go to the affiliates, a figure that jumps to 90% if the payment exceeds $5 million. The cybercrime gang's links to Shtazi-IT were previously disclosed by Intel 471 last month.

The arrest of Ermakov is notable, as it comes in the wake of Australia, the U.K., and the U.S. imposing financial sanctions against him for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health, and drug use. Some of these records also found their way to the dark web.

It also follows a report from news agency TASS, which revealed that a 49-year-old Russian national is set to face trial on charges of carrying out a cyber attack on technological control systems that left 38 settlements of the Vologda region without power.
Source
 
Last edited by a moderator:

Lymphocyte

Level 2
Thread author
Verified
Jul 22, 2014
63

LockBit ransomware returns to attacks with new encryptors, servers​


The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last week's law enforcement disruption.

Last week, the NCA, FBI, and Europol conducted a coordinated disruption called 'Operation Cronos' against the LockBit ransomware operation.

As part of this operation, law enforcement seized infrastructure, retrieved decryptors, and, in an embarrassing moment for LockBit, converted the ransomware gang's data leak site into a police press portal.

LockBit data leak site converted into a press site
LockBit data leak site converted into a press site
Source: BleepingComputer
Soon after, LockBit set up a new data leak site and left a long note addressed to the FBI, claiming law enforcement breached their servers using a PHP bug.

However, instead of rebranding, they promised to return with updated infrastructure and new security mechanisms to prevent law enforcement from performing operation-wide attacks and gaining access to decryptors.

Updated LockBit encryptors used in attacks​

As of yesterday, LockBit appears to be conducting attacks again, with new encryptors and infrastructure setup for data leak and negotiation sites.

As first reported by Zscaler, the ransomware gang updated their encryptor's ransom notes with Tor URLs for the gang's new infrastructure. BleepingComputer later found samples of the encryptors uploaded to VirusTotal yesterday [Sample] (shared by MalwareHunterTeam) and today [Sample], containing the updated ransom notes.

BleepingComputer also confirmed that the operation's negotiation servers are live again but only work for victims of new attacks.

New LockBit negotiation sites
New LockBit negotiation sites
Source: BleepingComputer
At the time of LockBit's takedown, the ransomware operation had approximately 180 affiliates working with them to conduct attacks.

It is not known how many are still working with the Ransomware-as-a-Service, as one has publicly lashed out at the operation on X.

However, LockBit states that they are now actively recruiting experienced pentesters to join their operation again, which will likely lead to increased attacks in the future.

Whether this is a grand plan for LockBit to slowly fade away and rebrand as we saw with Conti remains to be seen. For now, though, it is safer to assume that LockBit continues to be a threat.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top