The LockBit ransomware gang says it’s back in business, with a person posting a message admitting his “personal negligence and irresponsibility” for not updating an application was likely used by law enforcement last week to dismantle much of the operation’s IT infrastructure.
This explanation is included in an English and Russian message on the gang’s new TOR site. The full text has been posted on X by vx-underground.
The sometimes rambling message, titled, “What happened,” is dated Feb. 24 and gives an account of the Feb. 19 attack, claims without evidence that the FBI attacked now because the gang or an affiliate had stolen documents related to a Georgia investigation into allegations Donald Trump and others tried to interfere with the results of the 2020 presidential election in the state that LockBit was about to release, claims the gang has not been put out of business and vows there will be retaliatory attacks on U.S. .gov domains.
The new LockBit site lists several new victims as well as Fulton County, Ga. According to the news site Databreaches.net, LockBit claimed to have hit the county before the Feb. 19 takedown of its infrastructure.
In the Feb. 24 message, the author writes that on Feb. 19 he detected “penetration testing” on two of his servers. An error was detected, but nothing apparently changed. “I didn’t pay much attention to it, because for 5 years of swimming in money I became very lazy, and continued to ride on my yacht with titsy girls.”
However, 14 hours later, after a new server error popped up, he said he couldn’t log in. “As it turned out later, all the information on the disks was erased.”
The problem, he believes, is that he hadn’t updated the servers’ PHP, an open-source general-purpose scripting language used for web development. He believes the attackers accessed two LockBit servers through this or another zero-day vulnerability.
“The new servers are now running the latest version of PHP,” the letter adds. “I noticed the PHP problem by accident and I’m the only one with a decentralized infrastructure with different servers, so I was able to quickly figure out how the attack happened. If I didn’t have backup servers that didn’t have PHP on them, I probably wouldn’t have figured out how the hack happened.”
“The fact that LockBit has relaunched its website isn’t particularly surprising, and doesn’t mean the disruption effort was unsuccessful,” Brett Callow, Canadian-based threat analyst with Emsisoft, told IT World Canada. “On the contrary, law enforcement likely obtained valuable information that will enable them to identify and take action against LockBit’s past and present affiliates as well as others involved in the ransomware supply chain.
“Realistically, this is likely the end of the LockBit brand. Other cybercriminals will not be willing to risk working with an operation that was so thoroughly compromised. It’d simply be too risky.”
The U.K.’s National Cybercrime Agency says it obtained “the LockBit platform’s source code and a vast amount of intelligence from their systems about their activities and those who have worked with them and used their services to harm organizations throughout the world.” Working with the FBI and law enforcement agencies from nine other countries, they seized a LockBit data exfiltration tool, known as Stealbit, 28 servers belonging to LockBit affiliates and over 1,000 data decryption keys.
The LockBit author says the FBI got “a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors.”
“Yes it’s bad,” the author says of the loss of the decryptors, “but it’s not fatal.” He claims there were over 20,000 more decryptors that were protected and can’t be used by victims to unscramble their data.
The seized database, he says, has “generated nicknames” and not real nicknames of LockBit partners. But, he admits law enforcement did get cryptocurrency wallets. But he says people will be arrested and accused of being partners, which, he says, they aren’t.
As for police getting the source code of the panel, what remains of the panel will be divided into many servers for verified partners, the LockBit author says, with each partner getting their own copy. to reduce the chance of a future hack.
Police said several alleged LockBit gang members were arrested, but LockBit believes these were only people who laundered cryptocurrency.
“The FBI decided to hack now for one reason only,” the LockBit author claims — because they didn’t want to see a leak of information from Fulton County, Ga., where former U.S. President Donald Trump and others are being investigated for allegedly trying to change the outcome of the 2020 election in the state.
If it wasn’t for the FBI attack, the author claims, the documents would have been released on Feb. 19. “because the negotiations stalled, right after the partner posted the press release to the [LockBit] blog … Had it not been for the election situation the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering.”
“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” the message says. “And after introducing maximum protection on every build of locker, there will be no chance of free decryption, even for 2.5 per cent of attacked companies.”
“New affiliates can work in my affiliate program if they have a reputation on the forum, can prove they are pentesters with post-pay-payment, or by making a deposit of 2 bitcoins, the deposit increase is due to proof and beautiful advertising from the FBI, which is that my affiliates and I earn together hundreds of millions of dollars, and that no FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work.”
According to researchers at Switzerland-based Prodaft, LockBit has seven affiliates that use its ransomware-as-a-service, some of which have ties to other threat actors such as FIN7, Wizard Spider, and EvilCorp. One focuses almost exclusively on GIT and Jenkins Servers, another relies on compromised Microsoft RDP server information from certain initial access brokers, while a third primarily focuses on vulnerable Fortigate and Citrix platforms. Some train other affiliate gangs.
