Risk & Repeat: LockBit resurfaces after takedown

LockBit restored its servers mere days after law enforcement officials announced a takedown of the infamous ransomware group.

Last Tuesday, several international law enforcement agencies announced Operation Cronos, which infiltrated and disrupted LockBit's network. The U.K.'s National Crime Agency led the operation, which featured collaboration from agencies in the U.S., Canada, France, Germany, Australia and others. The announcement was notable, as LockBit has long been considered one of the most prolific ransomware gangs; it has been credited with high-profile attacks against organizations including Boeing and the U.K.'s Royal Mail.

The operation resulted in two arrests in Poland and Ukraine; the seizure of 28 servers in three countries and more than 1,000 decryption keys; the takedown of LockBit infrastructure, such as its data leak site; and U.S. indictments against two Russian nationals. But despite the success of the operation -- as well as statements from law enforcement at the time that suggested LockBit was dismantled -- the gang attempted a comeback only four days later.

On Saturday, LockBit restored its servers with new .onion URLs, and administrative staff penned a message claiming that the FBI took down LockBit due to sensitive information the group supposedly obtained involving former U.S. President Donald Trump in its attack against Fulton County, Ga. In addition, the post's author said they believed critical PHP vulnerability CVE-2023-3824 was responsible for the group's takedown.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the law enforcement takedown of LockBit, the group's supposed comeback and the long-term implications of Operation Cronos.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.