LockBit re-emerges a week after takedown
'Damage control for the LockBit brand, a show of strength'
The LockBit ransomware gang is relaunching its operations on a new infrastructure less than a week after international law enforcement took down its servers and retrieved cryptocurrency and decryption keys in Operation Cronos
The gang said that only servers running PHP were affected. It said the enforcement agencies exploited a PHP vulnerability (CVE-2023-3824), blaming its own "negligence and irresponsibility" in not updating PHP.
"All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies," the group said, on a new darkweb site.
A spokesperson for the UK national crime authority (NCA) said in a statement that the organisation was not surprised to see the group re-emerge.
"We recognised Lockbit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues."
LockBit said it plans to decentralise its infrastructure, manually release decryption keys, and provide different access levels to affiliates to improve security.
It also threatened to focus more attacks on government targets.
While Cronos undoubtedly dealt a major blow, security experts warn that LockBit's significant financial resources - the gang is estimated to have accrued $91 million from US attacks alone - and resilience will allow them to adapt and restore operations.
Operating in Russia and former Soviet states puts the gang out of reach of the FBI, NCA and allied law enforcement authorities. It may also be protected or supported by the Russian authorities.
"One has to question if the financial resources of groups such as Lockbit are somewhat broader in scope than the law enforcement teams tasked with their disruption," commented Richard Cassidy, EMEA CISO at Rubrik.
"They have the economic power to re-group and develop new tactics, techniques, and procedures, learning and adapting from the errors that led to their disruption, thus reinventing their approach as necessary."
However, Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest said that despite its resilience, the information gleaned from Cronos could help the agencies to further weaken LockBit, as the NCA suggested.
"The seizure of vast amounts of LockBit's infrastructure will have provided a treasure-trove of intelligence that can refine law enforcement efforts in the future. If the NCA and supporting organisations are able to build on this initial success—including identifying senior LockBit members—it is realistically possible that they will be able to remove this criminal enterprise for good."
Stephen Robinson, senior threat intelligence analyst at WithSecure, questioned the information provided by LockBit. How could they possibly know how the law enforcement agencies had compromised their systems?
"The purpose of the message is not to communicate fact, but to engage in PR and reputational damage control for the LockBit brand as a show of strength," he said.
Cyber threats are rising, and IT leaders need the latest information to stay ahead of the curve. Join us at the Cybersecurity Festival on 2nd May, where we bring together the most senior and influential voices from security leaders throughout the UK. Click here to secure your free place.