LockBit restores servers following law enforcement takedown

The LockBit ransomware gang is attempting a comeback mere days after suffering a major takedown at the hands of an international law enforcement operation.

Law enforcement agencies last week announced "Operation Cronos," a long-planned takedown of LockBit led by U.K.'s National Crime Agency (NCA). The operation also involved law enforcement organizations from the U.S., Canada, France, Germany and several other nations. The law enforcement agencies seized 28 servers in three countries and also took control of LockBit's leak site and the group's admin portal. Two suspects in Poland and Ukraine were also arrested, though they have not been identified.

In a video statement released alongside the Operation Cronos announcement, U.S. Attorney General Merrick Garland said LockBit was responsible for more than 2,000 victims and more than $120 million in extortion payments. In 2022, Malwarebytes called LockBit the most prolific ransomware gang. Its higher-profile victims have included the U.K.'s Royal Mail and Boeing.

At the time, NCA Director General Graeme Biggar said in an announcement that LockBit operators had been "locked out" and that the takedown damaged its credibility. While Biggar noted LockBit may seek to rebuild its criminal enterprise, that time may have come only four days later.

On Saturday, LockBit restored its servers with new .onion domains. Shortly after, an administrative staffer published a lengthy message responding to the takedown. In the post, the admin said the gang's security suffered because the post's author "became very lazy." The author also said critical PHP vulnerability, tracked as CVE-2023-3824, was likely responsible for the compromise, but they weren't sure and said it also could have been a zero-day vulnerability.

The LockBit administrator blamed the takedown on the FBI, and said the bureau decided to hack the gang because LockBit had obtained sensitive information about former U.S. President Donald Trump that could supposedly affect the upcoming presidential election. LockBit ransomware recently struck Fulton County, Ga., in which authorities are pursuing criminal charges against Trump and several co-defendants for allegedly trying to subvert the 2020 presidential election.

"The FBI decided to hack now for one reason only, because they didn't want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election," the post's author wrote. "What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger."

In a statement shared with TechTarget Editorial, an FBI spokesperson said the bureau anticipated a comeback and noted that offering decryption keys to victims was the priority of the operation. The full statement reads as follows:

"The FBI and its partners anticipated LockBit threat actors would attempt to regroup and rebuild; however, the opportunity to offer over a thousand victims the ability to decrypt their networks is our focus and we will continue to provide assistance to those who have been impacted.

"While a subject can stand up new infrastructure, we made it more difficult for them to operate, prevented countless new victims, and tarnished its reputation as the most prolific ransomware in existence. The FBI continues to maintain our disruptive activities against cyber actors threatening security for any organization or individual."

Lockbit ransomware group administrative staff have released a lengthy response to the FBI and bystanders.

In summary: they claim they failed to keep their systems up-to-date because they had become 'lazy', and they had become complacent. They believe they were compromised by…

— vx-underground (@vxunderground) February 24, 2024

Emsisoft threat analyst Brett Callow told TechTarget Editorial said he was not surprised by LockBit's attempted comeback given the scale of its business, and that while the gang's apparent return was swift, Operation Cronos should not be seen as a failure.

"While the attempted comeback certainly highlights the challenges of permanently ending a ransomware operation, it doesn't mean the disruption was a failure," he said. "On the contrary, it was a very big win that resulted in law enforcement obtaining information that will hopefully enable them to make more arrests and cause more disruption in the ransomware supply chain. It's also likely that, despite LockBit's attempts at damage control, law enforcement has struck a fatal blow to the brand. Other cybercriminals simply will not trust the integrity of the LockBit operation or want to work with the individuals behind it."

Christopher Budd, director of threat intelligence at Sophos, cautioned that even if a takedown was "100% effective" and resulted in the arrest of all its members, "it won't stop the malware that's already in the wild and now outside of that group's control."

"This underscores another, often overlooked way in which these criminal groups threaten everyone: Their offensive capabilities become part of the broader threat environment, subject to no one's control," Budd said. "You can be threatened and attacked by the malware developed by a group like LockBit without being threatened and attacked by them directly."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.