LockBit rises from the ashes, but will it pack the same punch as before?

LockBit website interface showing NCA, FBI, and law enforcement agency insignia after a joint police action seized LockBit's dark web site.
(Image credit: National Crime Agency)

Ransomware operator LockBit has reemerged on a new dark web leak site just days after a joint law enforcement operation seized control of the group’s infrastructure.

Moving to a new .onion address hosted on new servers, the collective appears to be back up and running and has already populated its new leak site with a number of new victims.

These are presumably targets from its most recent operations that were interrupted by the takedown on Tuesday 20 February.

In a signed PGP message distributed via its new domain, LockBit’s administrator claimed the takedown was only possible due to carelessness on its part, mainly failing to update its servers running the PHP scripting language.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully penetration tested most likely by this CVE, as a result of which access was gained to the main two servers where this version of PHP was installed.”

Speaking to ITPro, Matt Middleton-Leal, EMEA managing director at IT security specialists Qualys said just like legitimate businesses, hacking groups also need to observe good cyber hygiene and patch regularly to avoid takedowns like this.

“All organizations need to keep up to date with their patches across their IT assets. Hacking groups are no exceptions. While there was an oversight on their part around keeping updated, it’s not uncommon. It’s exactly the same issue that IT teams find as risks in their organizations every day.”

The group claims the operation only affected its servers running PHP, as such none of its backup systems were impacted and the collective claims the stolen data stored on these systems will continue to be published. 

The message also disputes the claim that the authorities were able to access around 1000 decryptors, some of which were published on the compromised leak site. 

The group added that even if the figure was accurate it would only reflect a fraction of the decryptors it had produced since it began operations.

“Note that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransoms, i.e. even if the FBI has 1000 decryptors, they are of little use, the main thing is that they didn't get all the decryptors for the entire 5 years of operation, which number is about 40000,” the gang said. 

“It turns out that the FBI were only able to get hold of 2.5% of the total number of decryptors, yes it's bad, but it's not fatal.”

Will the LockBit resurgence last?

There is existing evidence of cyber gangs persisting long after they were targeted by law enforcement stings. 

In October 2023, security researchers warned that hackers affiliated with the malware family Qakbot remained a pervasive threat after a law enforcement takedown in August that year.

The resurgence sparked questions about the efficacy of takedowns of this nature, with similar examples involving the Emotet botnet reemerging online four months after being ‘shut down’ in November 2021.

Middleton-Leal explained he thinks it will take more than a one-off operation to bring down a group of LockBit’s size.

“It is better to think of Lockbit as a well-organized and well-funded business rather than a hacker gang. The fact the agencies have managed to turn the tables on them is a fantastic achievement, but this type of take down will need to be an ongoing activity rather than a one-off event.”

But Middleton-Leal said he does expect there to be a period of downtime before affiliates are able to get back on their feet.

“Splinter organizations or affiliates will take some time to appear and time to become effective again, as they will need to alter their techniques. That said, ransomware businesses rely on them continually transforming their attack methodologies.”

Dr Ilia Kolochenko, CEO and chief architect at ImmuniWeb and adjunct professor of cyber security and cyber law at Capital Technology University agreed, noting groups of LockBit’s size are not easily dismantled by one-off operations.

“The resurrection is not surprising: LockBit is a mature, well-organized and seasoned cybercrime group that cannot be easily dismantled compared to smaller ransomware entities that were elegantly smashed by joint operations of law enforcement agencies in 2023”

But Kolochenko suggested there may still be hope the operation will bear more long lasting fruits in terms of shutting LockBit down for good.

“Nonetheless, according to the information published by media and law enforcement agencies, the latter managed to get a full list of victims, payments and other details of LockBit’s ransomware empire”, Kolochenko noted.

“First, this data can potentially serve as invaluable intelligence for further investigations that may eventually expose the whereabouts and identities of LockBit’s members. Second, it is interesting whether law enforcement agencies will now pass the collected information to other national authorities to eventually probe LockBit’s victims.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.