After a recent blow that forced its operations offline due to a longstanding law enforcement effort, the infamous LockBit ransomware gang has resurfaced on the dark web with a new leak site, featuring a fresh batch of victims.
In a lengthy and rambling statement released on Saturday, the remaining administrator of LockBit took responsibility for the temporary disruption, citing their own negligence. The recent global law enforcement operation, dubbed “Operation Cronos,” targeted and compromised LockBit’s infrastructure through a vulnerability in their public-facing websites, including their dark web leak site where the gang shared data stolen from victims.
“Operation Cronos” led to the seizure of 34 servers across several countries, including Europe, the U.K., and the U.S., as well as the confiscation of over 200 cryptocurrency wallets. The operation also resulted in the arrest of two alleged LockBit members in Poland and Ukraine.
Despite these setbacks, LockBit announced its comeback just five days later, claiming to have restored their operations from unaffected backups. In their statement, the LockBit administrator declared their intention to target the government sector in retaliation.
A spokesperson for the National Crime Agency, who led “Operation Cronos,” disclosed to TechCrunch on Monday that the takedown was successful in infiltrating and taking control of LockBit’s systems, completely compromising their criminal activities.
However, the bold claims of overwhelming victory by law enforcement are at odds with the fact that the apparent leader of LockBit remains at large, issuing threats and targeting new victims. With over a dozen new victims claimed since their bold resurgence, it seems that LockBit’s demise may have been exaggerated.
The ongoing cat-and-mouse game between law enforcement and criminal gangs continues, with both sides engaging in bravado and fighting talk.
While the NCA promised to reveal the main leader of the gang, known as “LockBitSupp,” they shared little information about the individual in a post on LockBit’s own compromised dark web leak site last Friday.
“We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :),” read the NCA’s cryptic message.
U.S. law enforcement agencies have also offered a multi-million dollar reward for any details leading to the identification or location of key leaders within LockBit’s group, suggesting that they currently do not have this information or lack the evidence to prove it.
With the apparent leader LockBitSupp still at large, the puzzle of LockBit’s criminal operations remains incomplete, making it unlikely that the group will simply fade away. Ransomware gangs have a history of quickly regrouping and rebranding after law enforcement disruptions that claim to have taken them down for good.
One example is ALPHV, also known as BlackCat, a Russia-based ransomware gang that faced a similar setback last year when law enforcement agencies seized their dark web leak site and released decryption keys for victims to recover their stolen files. However, within days, ALPHV announced that they had “unseized” their leak site and claimed that the FBI only possessed decryption keys for approximately 400 companies, leaving over 3,000 victims whose data remained encrypted.
Currently, ALPHV’s leak site remains operational and continues to add new victims on a daily basis.
Similar to other ransomware gangs, such as Hive and Conti, LockBit may also rebrand and reorganize under different names in response to law enforcement actions. It has been reported that members of Conti are now operating under new aliases, including Black Basta, BlackByte, and Karakurt, while former members of Hive have formed a new group called Hunters International.
While the recent takedown of LockBit has been hailed as a significant success, it is unlikely to be any different than previous law enforcement operations, as the signs are already apparent.
In their verbose statement, LockBit claimed that law enforcement only obtained a limited number of decryptors, arrested the wrong people, and failed to take down all of their websites. The group also promised to enhance the security of their infrastructure, manually release decryptors, and continue their affiliate program.
LockBit’s rant continued by bravely proclaiming that no amount of FBI pressure can intimidate or halt their operations, as their years of work have ensured the stability of their services.
The NCA acknowledged that they expected LockBit would attempt to regroup and rebuild their systems, but they stand behind their ongoing efforts to disrupt the gang.
“We have gathered a significant amount of intelligence about the group and its members, and we continue to target and disrupt their activities,” said NCA spokesperson Richard Crowe.
The admission by law enforcement that they are still actively working to disrupt LockBit’s operations suggests that the gang is far from finished, and was never truly defeated to begin with.