Days after that The notorious Russia-based ransomware group LockBit, which was taken offline by a sweeping, years-long law enforcement operation, has returned to the dark web with a new leak site with several new victims.
In a convoluted, borderline statement released on Saturday, LockBit’s remaining administrator blamed its own negligence for last week’s outage. A global law enforcement effort launched an operation that took over the ransomware gang’s infrastructure by exploiting a vulnerability in LockBit’s public websites, including the dark leak site the gang used to post stolen data from victims.
“Operation Cronos,” as the feds dubbed it, also saw the takedown of 34 servers across Europe, the UK and the US, the seizure of more than 200 cryptocurrency wallets and the arrest of two alleged LockBit members in Poland and Ukraine .
Just five days later, LockBit announced that operations had resumed, claiming that it was restoring from backups that were unaffected by the government takedown. In its statement, LockBit’s administrator threatened to respond by saying it would target the government sector.
A spokesman for the National Crime Agency, which led Operation Cronos, told TechCrunch on Monday after LockBit’s return that the takedown operation “successfully infiltrated and took control of LockBit’s systems and was able to compromise their entire criminal operation ».
“Their systems have now been compromised by the NCA and it is our assessment that LockBit remains completely compromised,” the NCA said.
Law enforcement claiming a landslide victory while LockBit’s apparent ringleader remains at large, threatening retaliation and targeting new victims puts the two at odds — for now. With more than a dozen new victims claimed since its brazen relaunch, LockBit’s demise may have been overstated.
As the cat-and-mouse game between the feds and criminals continues, so do the battles — and the bold claims on both sides.
While the NCA promised a big reveal of the gang’s longtime ringleader, who goes by the name “LockBitSupp,” the agency revealed little about the operator in a post on LockBit’s hacked dark leak site on Friday.
“We know who he is. We know where he lives. We know what it’s worth. LockBitSupp has cooperated with Law Enforcement :),” the NCA’s vaguely worded message read.
US law enforcement agencies have also offered a multi-million dollar reward for information that “leads to the identification or identification of any person or persons in a key leadership position” in the LockBit gang — suggesting that authorities either do not have that information or cannot yet to prove it.
With the apparent administrator LockBitSupp still in action – the last remaining piece of the LockBit puzzle – it is unlikely that LockBit will go away. Ransomware gangs are known to quickly regroup and redefine themselves, even after law enforcement disruptions that claim to have destroyed them for good.
Take another Russia-based ransomware gang: ALPHV, also known as BlackCat, was dealt a similar blow last year when law enforcement agencies seized the dark web leak site and released decryption keys so victims could regain access to stolen archives. A few days later, ALPHV announced that it had “seized” the leak site and claimed that the FBI only had decryption keys for around 400 companies – leaving more than 3,000 victims whose data remains encrypted.
At the time of writing, the ALPHV leak site remains up and running — and continues to add new victims almost daily.
Other ransomware gangs, such as Hive and Conti, have faced similar law enforcement action in recent years, but are said to have simply renamed and re-formed under different names. Conti members are said to be operating under the new groups Black Basta, BlackByte and Karakurt, while former Hive members have rebranded as a new ransomware operation called Hunters International.
LockBit’s takedown, while hailed by many as one of the most significant in recent years, is unlikely to be much different – and the signs are already there.
In its lengthy post, LockBit claimed that law enforcement only obtained a handful of decryptors, arrested the wrong people, and failed to take down all the sites under its control. LockBit also promised that in light of the business, it will upgrade the security of its infrastructure, manually release decryptors, and continue its partner program.
“No FBI with their assistants can scare me and stop me, the stability of the service is guaranteed by years of continuous work,” LockBit’s rant continued. “They want to scare me because they can’t find me and make me disappear, they can’t stop me.”
The NCA told TechCrunch that the agency “recognized that LockBit would likely attempt to defragment and rebuild its systems,” but acknowledged that the agency’s work continues to disrupt the team.
“We have gathered a huge amount of information about them and those associated with them, and our work to target and disrupt them continues,” NCA spokesman Richard Crowe said.
Law enforcement’s admission that it’s still working to disrupt the gang tells us everything we need to know: LockBit isn’t dead yet, and probably never was.
