The story around LockBit ransomware takedown on February 19 continues to unfold. After almost a week of downtime and silence, the infamous gang is back online on a new Onion domain, boasting new hacks. To top it all off, an infamous LockBitSupp released a lengthy statement about what happened and what’s next.
LockBit Ransomware is Back After Law Enforcement Takedown.
Following the rough takedown of all the Darknet sites that belong to LockBit ransomware, the gang representatives were mostly silent until February 24, 2024. At around 21:00 GMT, the chief of the cybercrime gang released a long PGP signed message with the explanation from the hackers’ point of view. In it, they describe the supposed way they were hacked and the future of LockBit. Spoiler – not a lot will change, except for LockBitSupp promises to be less lazy.
For the way the law enforcement agencies managed to access the servers, the PHP vulnerability is named. CVE-2023-3824 vulnerability, discovered back in August 2023, allows for remote code execution and received CVSS rating of 9.8/10. Well-deserved, considering how popular PHP is; LockBitSupp even supposes that other threat actors who were hacked recently suffered from this exact vulnerability.
Also, the hacker supposes that the FBI could have access to the network for quite some time. The reason why law enforcement decided to pull the trigger is the publication of data leaked from Fulton County court, specifically documents regarding Donald Trump’s court cases.
Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility.LockBitSupp
LockBit Takedown Aftermath
So, what do we see almost a week past the takedown of LockBit? Law enforcement agencies dealt quite a damage to both the group image and hardware. The amount of leaked information, including decryption keys and data stolen from companies’ networks seriously cuts the profits of the ransomware gang. And considering the detainments in Poland and Ukraine, the leaks were not only about operational information – personal data of malware operators was also exposed to some extent.
However, this was barely enough to force the LockBit gang to stop. Sure, they are now starting from scratch, with only a few listings present on the reborn of their leak page. But they will carry on, taking the past mistakes into account. The individuals captured in Eastern Europe are unlikely to be affiliates – more probably just server administrators or money mules. LockBit’s story keeps rolling, and I’m pretty sure they have a couple of aces up their sleeves.
