LockBits Leak Site Reemerges, a Week After Complete Compromise

  /     /     /  
Publicated : 23/11/2024   Category : security


LockBits Leak Site Reemerges, a Week After Complete Compromise


Is LockBit dead? Law enforcement and the group itself seem to be telling conflicting stories.



The LockBit ransomware-as-a-service (RaaS) operation has re-launched its leak site, just one week after
a coordinated takedown operation
from global law enforcement.
On Feb. 19, the Operation Cronos Taskforce — which includes the FBI, Europol, and the UKs National Crime Agency (NCA), among other agencies — carried out a massive action.
According to Britains National Crime Agency (NCA)
, the taskforce took down infrastructure spread across three countries, including dozens of servers. It seized code and other valuable intelligence, troves of data stolen from its victims, and more than 1,000 associated decryption keys. It vandalized the groups leak site, and its affiliate portal, froze more than 200 cryptocurrency accounts, arrested a Polish and a Ukrainian national, and indicted two Russian nationals.
A spokesperson for the NCA
summed it up on Feb. 26
, telling Reuters that the group remains completely compromised.
The person added, however, that our work to target and disrupt them continues.
Indeed, Operation Cronos may not have been as comprehensive as it at first seemed. Though law enforcement was able to damage LockBits primary infrastructure,
its leader admitted in a letter
, its backup systems remained untouched, enabling the operation to bounce back quickly.
At the end of the day, its a significant blow by law enforcement against them, says former FBI special agent Michael McPherson, now senior vice president of technical operations at ReliaQuest. I dont think anybody is naïve enough to say that its the nail in the coffin for this group, but this is a body blow.
One would be well-advised to greet the leader of LockBit with skepticism. Like a lot of these guys in the ransomware space,
hes got quite an ego, hes a little bit volatile
. And he has been known to tell some pretty tall tales when it suits his objective, says Kurtis Minder, a ransomware negotiator, and co-founder and CEO of GroupSense.
In his letter, however, the person or persons Minder refers to as Alex strikes a notably humble tone.
Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the ransomware ringleader wrote, citing the critical, 9.8 out of 10 CVSS-rated PHP bug
CVE-2023-3824
as a result of which access was gained to the two main servers where this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I cant be 100% sure.
Crucially, he added, All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies. Indeed, thanks to this redundancy, LockBits leak site was back up and running after a week, featuring a dozen victims: a lending platform, a national network of dentistry labs, and, most notably, Fulton County, Georgia, where former president Trump is currently involved in a legal battle.
For years now, US and EU law enforcement have made headlines with high-profile raids of major ransomware operations:
Hive
,
AlphV/BlackCat
,
Ragnar Locker
, and so on. That in spite of these efforts
ransomware continues to rise
may inspire apathy in some.
But in the aftermath of such raids, McPherson explains, Either these groups have not reconstituted, or they recovered in a smaller way. Like, Hive hasnt been able to come back yet — there was interest in it, but it really didnt materialize.
Even if law enforcement didnt totally wipe out LockBit, it still likely caused the hackers great harm. For example, Minder points out, they apparently got access to some of the affiliates information, which affords authorities significant leverage.
If Im an affiliate, or Im another ransomware developer, I might think twice about interacting with these people just in case theyve
turned FBI informant
. So its creating some distrust. And then on the flip side, I think theyre doing the same to LockBit by saying: Hey, we actually know who all the affiliates are, we got all their contact information. So now LockBit is going to be suspicious of its own affiliates. Its a little bit of chaos. Its interesting.
To really solve ransomware in the longer-term, though, governments may need to supplement flashy takedowns with effective policies and programs.
There has to be a balanced program, maybe at the federal government level, that actually helps with prevention, in response, in repair. I think if we saw how much capital was actually leaving the US economy as a result of these kinds of activities, wed see that it would make sense to subsidize a program like that, that would keep people from having to pay ransoms, he says.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
LockBits Leak Site Reemerges, a Week After Complete Compromise