Lockbit, one of the world’s most prolific ransom gangs, says it is already back in business after an international police operation shut down its website last week.
Best known for using ransomware to extort victims on a global scale, Lockbit frequently targets hospitals, schools, businesses and government entities.
Earlier this month, the Australian Federal Police (AFP) joined forces with law enforcement agencies from the UK, US, Japan and multiple European nations to disrupt Lockbit’s operations – resulting in 34 server takedowns and multiple arrests.
The closure was expected to cause significant disruptions for the group’s criminal operations.
Now, a Lockbit blog page has resurfaced on the dark web alongside a message downplaying the multinational takedown effort.
In a near 3000-word message which can be best described as a rant, a Lockbit member announced plans to upgrade security on its new infrastructure before listing 12 backup blogs for those looking to download stolen data from the platform.
“No hack from the FBI [Federal Bureau of Investigation] can stop a business from thriving, because what doesn't kill me makes me stronger,” said Lockbit.
The group’s statement – which was tauntingly released under a fake data leak listing for ‘fbi.gov’ – went on to specifically threaten increased attacks against US government sites.
“What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often,” it read.
Since re-launching, the new dark web blog has listed 15 victims with countdown timers for leaking stolen data, including Australian car dealership group Eagers Automotive.
Lockbit also listed a US county among its victims – threatening to leak stolen documents which allegedly contain sensitive information about US presidential candidate Donald Trump’s recent court cases.
“The stolen documents contain a lot of interesting things about Donald Trump's court cases that could affect the upcoming US election,” Lockbit wrote.
“Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates.”
PHP complacency led to downfall
The group said law enforcement likely managed to hack the Lockbit platform by using a vulnerability in PHP – a popular programming language used to design websites.
Lockbit said it hadn’t updated its PHP version due to “personal negligence and irresponsibility”, leaving the site exposed to a critical vulnerability tracked as CVE-2023-3824.
“I didn't pay much attention to it, because for 5 years of swimming in money I became very lazy,” the message read.
The group said it took only 4 days to recover while it worked on incompatibilities between its code and the latest version of PHP, going on to claim it is mostly back to business as usual.
Lockbit operates under a ransomware-as-a-service model, where affiliates can purchase and deploy its ready-made ransomware for their own criminal exploits.
While Lockbit’s response has been ostensibly boastful, the group could also be performing some much-needed damage control after the multinational takedown operation dented its reputation among said affiliates.
And according to Reuters, a spokesperson for the UK’s National Crime Agency (NCA) said LockBit remains “completely compromised”.
“We recognised Lockbit would likely attempt to regroup and rebuild their systems.
“However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues," the NCA said.
Meanwhile, Paolo Passeri, cyber intelligence principal at cyber security company Netskope, suggested Lockbit may now be better prepared for future takedown attempts.
“What caught my eye in Lockbit's latest announcement is that the group explicitly mentions the existence of ‘backup blogs’, suggesting they’ve built a resilient infrastructure with a whole contingency plan, in case the group gets taken over,” said Passeri.
“Even the bad guys are now applying business best practice and building resilient infrastructure to ensure they are protected.
“Ransomware is now big business, and attackers clearly have huge resources, making it a more pervasive and resilient threat.”