In mid-February, the LockBit ransomware group affiliate site, its data leak website, and 32 servers were taken over after a global law enforcement operation; nonetheless, the takedown looks short-lived, since the LockBit data leak site is already restored. The LockBit group has likewise published a long post about what transpired together with the group’s plans for upcoming attacks. The post stated that the seizure won’t impact operations and that LockBit will keep on with more ransomware attacks targeting the government sector.
Operation Cronos was a joint effort among law enforcement organizations in the United Kingdom, Europe, and the United States. A sequence of press releases reported the achievement of the operation. LockBit decryption keys, source code, and cryptocurrency wallets were seized, and a decryptor was issued that would let LockBit attack victims get back their encrypted files. The National Crime Agency of UK likewise intended to disclose the LockButSupp, the assumed head of the operation, though that fact was not shared. Rather, the leak website had a post with regards to the identity of LockBitSupp.
In the posting, the LockBit group stated that the campaign of the FBI and the other law enforcement bureaus that took part in Operation Cronos were planned to bully and threaten the group into closing down, nevertheless, the group was rebellious and stated the attacks would go on, even with the takedown. The group boasted concerning the money he had generated and stated that the wealth amassed and the luxuries that could be paid for didn’t give nearly as much pleasure as operating the LockBit operation.
The LockBit group mentioned the FBI probably took advantage of a PHP vulnerability, CVE-2023-3824, to get access to the servers of LockBit. It might not be this CVE, although something else similar to 0-day for PHP. This is probably how the victims’ chat panel server, blog server, and administrator account were accessed. LockBitSupp mentioned the inability to patch was caused by the organization’s cybersecurity negligence and irresponsibility.
The LockBit group at the same time affirmed that backup servers that did not install PHP were not compromised or taken and that the takedown was timed to hinder the publishing of records stolen from Fulton County in Georgia during an attack last January, which could impact the result of the approaching U.S. Presidential election. The attack led to the theft of the records from the county court and tax systems. Fulton County is the location that holds the hearing of a lawsuit against Donald Trump and 18 codefendants concerning the claimed initiatives to overturn the election in 2020.
In the posting, LockBit stated the takedown wasn’t as big as it looked. Just close to 1,000 ransomware decryptors were acquired, but its servers have about 20,000, that the record of LockBit affiliates that was acquired and publicized doesn’t contain any real nicknames or monikers employed in forums, and as a reaction to the attack, alterations would be undertaken to make any attempted takedowns in the future much tougher, for instance decentralizing the hosting of its admin panel. The group additionally said that the recovery took four days to complete because of an incompatibility with the newest PHP version, which needed a modified source code.
The LockBit group core members are thought to reside in Russia, where they are left alone provided that their actions align with the aims of Russia and they do not perform attacks around Russia or in a Commonwealth of Independent States (CIS). Russia moves against threat actors that disobey those operating regulations. Lately, Russia stated that three members of the SugarLocker ransomware gang were detained for carrying out attacks in Russia and CIS nations; nevertheless, no action will possibly imposed against any LockBit group member.
The LockBit seizure has disturbed LockBit operations and ruined the group’s name in the cybercriminals group. The long post describing the attack and the measures that will be taken down the road seems to be damage management and an effort to reestablish the reputational harm caused, although affiliates can now choose to turn to another ransomware-as-a-service operation. Only time can tell how fast, and to what magnitude, LockBit could recover although it presently looks not likely that the group can easily go back to its earlier held status as the most threatening and respected ransomware group.
