The LockBit ransomware operators launched a new leak site over the weekend, claiming they restored their infrastructure following a law enforcement takedown and invited affiliates to re-join the operation.
On February 19, LockBit was severely disrupted by law enforcement in North America, Europe, and Asia, which seized 34 servers, took over the group’s Tor-based leak sites, froze cryptocurrency accounts, and harvested technical information on the RaaS.
Authorities also announced that they obtained 1,000 decryption keys that will help victim organizations to recover their data without paying a ransom, and that two individuals suspected of being involved in the operation were arrested.
Shortly after, the US government announced a $10 million reward for information on LockBit leaders and a $5 million reward for information on affiliates, along with charges and sanctions against two Russian nationals believed to be associated with LockBit.
Authorities said they gained “unprecedented and comprehensive access to LockBit’s systems” and, to taunt the operators, they replaced existing posts on the seized leak site with messages containing reports on the group’s activities, information on arrests, details on rewards and sanctions, and even suggesting they know who the LockBit leader is and that he “has engaged with law enforcement”.
Over the weekend, an individual involved with the RaaS, who uses the moniker of “LockBitSupp”, launched a new leak site that lists hundreds of victim organizations and which contains a long message providing his view on the takedown.
According to LockBitSupp, a PHP flaw led to the seizure of the vulnerable sites, but not of those not running the scripting language. In fact, some of the group’s known mirror sites are now linking to the new portal.
He also says that law enforcement obtained 20,000 decryption tools, including 1,000 unprotected builds of the locker (out of 40,000 issued during LockBit’s five-year run), and that the takedown was a reaction to the January hack of Georgia’s Fulton County.
The LockBit operator also says that the takedown has motivated him to improve protections, including decentralizing the operation even more and manually releasing each decryptor.
The long message appears to be an attempt to restore credibility, which the RaaS badly needs, not only following the major impact from the law enforcement takedown, but also because the LockBit ‘brand’ has suffered months of decline.
According to Trend Micro, despite accounting for roughly 25% of the ransomware attacks over the past year, LockBit has had difficulties in attracting and retaining affiliates, and has shown technical difficulties with its leak sites, and has delayed the release of a new ransomware variant.
“The recent public call to ALPHV (BlackCat) and NoEscape affiliates to join the LockBit group has an air of desperation around it. In the past, threat actors were clamoring to join the group. In more recent times, however, it looks like the LockBit operators are desperate for fresh affiliates and actively looking for opportunities to capitalize on the misfortunes of rival groups,” Trend Micro says.
According to Prodaft, however, LockBit had roughly 190 affiliates, some of which were tied to other notorious cybercrime groups, including EvilCorp, FIN7, and Wizard Spider.
The cybersecurity firm also notes that LockBitSupp has lost his credibility on several underground hacking forums after disgruntled affiliates complained about not being paid, and that he was banned from at least two such portals.
However, it appears that the RaaS leader is readying a new version of the malware. Dubbed LockBit-NG-Dev and still under development, it is written in .NET, is platform-agnostic, does not self-propagate, has fewer capabilities compared to previous iterations, but is powerful enough to evolve into LockBit 4.0.
“With the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position,” Trend Micro notes.
Threat intelligence firm RedSense says that the true masterminds behind the RaaS is a ‘ghost group’ named Zeon that consists of former Conti operators and which also invested in Akira, 3AM, and BlackCat ransomware operations.
According to RedSense, the takedown of LockBit’s leak site and the surrounding social infrastructure was a major blow to Zeon, which will likely focus on Akira instead, as LockBit will never recover.
“The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable. People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra,” RedSense said.
Related: Cyber Insights 2024: Ransomware
Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders
Related: US Says 19 People Charged Following 2019 Takedown of xDedic Cybercrime Marketplace
