Hacker working on laptop showing LockBit ransomware new data leak site

LockBit Ransomware Group Says It Is Back in Business, Debuts New Data Leak Site

Shortly after a major international law enforcement takedown, the LockBit ransomware group says that it is back online and has launched a new data leak site complete with “countdown clocks” for its current victims.

The UK’s National Crime Agency says that LockBit remains “completely compromised,” so it appears that the group has set up or shifted to new infrastructure. While the group was expected to rebound in some way, the speed with which it has seemingly restored its business has surprised some security analysts.

LockBit ransomware draws on backup capacity to keep operating

The law enforcement operation that took place earlier in the month did not completely compromise the LockBit ransomware gang’s assets, but did include the capture of its data leak site and the arrest of members located in Ukraine and Poland. With senior leadership still on the loose (and presumably in Russia), it was assumed that LockBit would carry on for some time in a diminished way or possibly break up to reform under a new name. Instead, the group seems determined to restore its original capacity as soon as possible.

The LockBit ransomware group had previously posted a statement disclosing that law enforcement had made use of PHP vulnerabilities to break into some of its dark web sites, including the data leak site. However, they also claimed to have backups without PHP enabled that would allow them to rebound. That claim appears to have been accurate as the group has launched a new data leak site listing victims of its ransomware and the time left to begin negotiating a payment before stolen documents are dumped.

The law enforcement action involved the seizure of thousands of decryption keys for the modern “3.0” version of the LockBit ransomware, so it is unclear if the current list of victims has a way out available to them. The group is also facing likely heavy reputational damage in the criminal underworld, as its affiliate portal was compromised by law enforcement along with its prior data leak site.

Launch of new data leak site accompanied by lengthy rant

The LockBit ransomware leadership not only announced that the gang was back in business, but also attached a lengthy rant that covered everything from promising more attacks on US government agencies in retribution to endorsing Donald Trump in the presidential election.

The group also laid out its plans for better security in the future, even offering a reward to anyone that could hack its main site. Leadership also cited “personal negligence and irresponsibility” as the reason for the law enforcement breach, claiming that five years of financial success had caused them to become a little sloppy.

The whole thing appeared to mostly be focused on reassuring affiliates that LockBit ransomware is still a premium criminal brand, but the group also alluded to sitting on “a lot of interesting things (on) Donald Trump’s court cases that could affect the upcoming US election” as a result of its January breach of Fulton County, Georgia’s government systems. The county is the home of Atlanta and the largest in the state, and has been a flash point of election controversy after claims of ballot fraud in the 2020 election made by the Trump campaign led in turn to a racketeering case against the former president and his associates.

LockBit ransomware leadership also claimed that the decryption keys taken during the data leak site raid were exclusively “unprotected decryptors,” or essentially a budget version used by affiliates that attack smaller targets and usually demand ransoms in the single thousands of dollars.

The National Crime Agency has claimed that it knows the identity of group leader LockBitSupp, but has yet to release it to the public. LockBitSupp had been reported to have been working with law enforcement after the raid on the data leak site, but was defiant in his most recent statement and claimed that he would continue with ransomware as long as he was alive. The US government has a standing reward offer of $10 million for information leading to the arrest of the group’s leadership, or $5 million for anyone having used LockBit ransomware in an attack.

Despite the defiant statement, the disruption of LockBit appears to have still been very significant. The group was on top of the world with one of the biggest shares of the ransomware-as-a-service market in 2023, but security analysts note that the group has had to push back the release of its new ransomware variant and that affiliates are already starting to abandon it.

Roger Grimes, data-driven defense evangelist at KnowBe4, believes that taunting law enforcement will not prove to be a positive development for the group: “It’s not unexpected that a taken down ransomware group gets back up and running, although the fact Lockbit had such a big disruption and got back up so quickly is a little surprising. In general, though, taunting the FBI and law enforcement authorities, rarely works out for the criminal. Law enforcement usually takes it personally and expends extra effort to take them down again. Most ransomware groups get away with what they get away with because they stay under the radar. Challenging and mocking law enforcement isn’t staying under the radar. Not only that, but with the previous Lockbit takedown, law enforcement got a really good look at inside operations. The new Lockbit deployment isn’t going to be that different. What law enforcement learned from the previous takedown is likely to help with the next.”

Alastair Williams, Vice President of Worldwide Systems Engineering at Skybox Security, advises organizations to not assume that ransomware groups are finished just because some assets have been seized: “Continuous Threat Exposure Management (CTEM) emerges as a vital solution in this context. Unlike periodic security measures, CTEM offers an ongoing process of identifying and addressing vulnerabilities, tailored to the rapidly evolving digital threat landscape. This situation highlights the imperative for organizations to adopt continuous and adaptive cybersecurity methodologies in today’s high-risk digital environment.”

Jon Miller, CEO & Co-founder at Halcyon, agrees that high-level arrests are the only real indicator that a group is truly finished as a threat: “Law enforcement actions and government sanctions against ransomware operators are necessary, but even if these threat actors are arrested or their operations disrupted, there will quickly be another to take their place. While we have seen some scattered arrests of affiliates and other low-level threat actors in the ransomware space, overall, law enforcement has had little impact on disrupting ransomware operations. LockBit quickly bounced back from law enforcement’s takedown of its dark web last week. In one weekend, they were able to generate a new leak site. This takedown, along with LockBit’s response, is incredibly revealing about what law enforcement actions can and can’t do against these well-organized and well-funded ransomware operations. LockBit is particularly hard to crack because they’ve been active since 2019 and are highly adept at security tool evasion, as well as boasting an extremely fast encryption speed. LockBit employs publicly available file-sharing services and a custom tool dubbed Stealbit for data exfiltration. The group was, by far, the most active ransomware operation in 2022 and 2023, and proved they follow through on threats, having exposed a large amount of exfiltrated Boeing data in Q4-2023.”