Connect with us

Hi, what are you looking for?



LockBit Ransomware Gang Resurfaces With New Leak Site

The LockBit ransomware operators announce a new leak site as they try to restore credibility after law enforcement takedown.

LockBit Ransomware

The LockBit ransomware operators launched a new leak site over the weekend, claiming they restored their infrastructure following a law enforcement takedown and invited affiliates to re-join the operation.

On February 19, LockBit was severely disrupted by law enforcement in North America, Europe, and Asia, which seized 34 servers, took over the group’s Tor-based leak sites, froze cryptocurrency accounts, and harvested technical information on the RaaS.

Authorities also announced that they obtained 1,000 decryption keys that will help victim organizations to recover their data without paying a ransom, and that two individuals suspected of being involved in the operation were arrested.

Shortly after, the US government announced a $10 million reward for information on LockBit leaders and a $5 million reward for information on affiliates, along with charges and sanctions against two Russian nationals believed to be associated with LockBit.

Authorities said they gained “unprecedented and comprehensive access to LockBit’s systems” and, to taunt the operators, they replaced existing posts on the seized leak site with messages containing reports on the group’s activities, information on arrests, details on rewards and sanctions, and even suggesting they know who the LockBit leader is and that he “has engaged with law enforcement”.

Over the weekend, an individual involved with the RaaS, who uses the moniker of “LockBitSupp”, launched a new leak site that lists hundreds of victim organizations and which contains a long message providing his view on the takedown. 

According to LockBitSupp, a PHP flaw led to the seizure of the vulnerable sites, but not of those not running the scripting language. In fact, some of the group’s known mirror sites are now linking to the new portal.

He also says that law enforcement obtained 20,000 decryption tools, including 1,000 unprotected builds of the locker (out of 40,000 issued during LockBit’s five-year run), and that the takedown was a reaction to the January hack of Georgia’s Fulton County.

Advertisement. Scroll to continue reading.

The LockBit operator also says that the takedown has motivated him to improve protections, including decentralizing the operation even more and manually releasing each decryptor.

The long message appears to be an attempt to restore credibility, which the RaaS badly needs, not only following the major impact from the law enforcement takedown, but also because the LockBit ‘brand’ has suffered months of decline.

According to Trend Micro, despite accounting for roughly 25% of the ransomware attacks over the past year, LockBit has had difficulties in attracting and retaining affiliates, and has shown technical difficulties with its leak sites, and has delayed the release of a new ransomware variant.

“The recent public call to ALPHV (BlackCat) and NoEscape affiliates to join the LockBit group has an air of desperation around it. In the past, threat actors were clamoring to join the group. In more recent times, however, it looks like the LockBit operators are desperate for fresh affiliates and actively looking for opportunities to capitalize on the misfortunes of rival groups,” Trend Micro says.

According to Prodaft, however, LockBit had roughly 190 affiliates, some of which were tied to other notorious cybercrime groups, including EvilCorp, FIN7, and Wizard Spider.

The cybersecurity firm also notes that LockBitSupp has lost his credibility on several underground hacking forums after disgruntled affiliates complained about not being paid, and that he was banned from at least two such portals.

However, it appears that the RaaS leader is readying a new version of the malware. Dubbed LockBit-NG-Dev and still under development, it is written in .NET, is platform-agnostic, does not self-propagate, has fewer capabilities compared to previous iterations, but is powerful enough to evolve into LockBit 4.0.

“With the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued technical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and hold its position,” Trend Micro notes.

Threat intelligence firm RedSense says that the true masterminds behind the RaaS is a ‘ghost group’ named Zeon that consists of former Conti operators and which also invested in Akira, 3AM, and BlackCat ransomware operations.

According to RedSense, the takedown of LockBit’s leak site and the surrounding social infrastructure was a major blow to Zeon, which will likely focus on Akira instead, as LockBit will never recover.

“The rebuilding of the infrastructure is very unlikely; LockBit’s leadership is very technically incapable. People to whom they delegated their infrastructural development have long left LockBit, as seen by the primitivism of their infra,” RedSense said.

Related: Cyber Insights 2024: Ransomware

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: US Says 19 People Charged Following 2019 Takedown of xDedic Cybercrime Marketplace

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.