LockBit Ransomware Group Comes Back Following Takedown by Law Enforcement

The threat actors responsible for the LockBit ransomware campaign have reappeared on the dark web with new hardware, just days after their servers were taken over by a multinational law enforcement operation. To achieve this, the infamous gang has relocated its data leak webpage to a new TOR network.onion address, and as of this writing, it lists 12 additional victims.

The LockBit administrator acknowledged in a long follow-up statement that they neglected to update PHP because of “personal negligence and irresponsibility” and that several of their websites were likely taken down by making use of a major PHP weakness identified as CVE-2023-3824.

“I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed,” they said.

The FBI “hacked” their infrastructure, they said, as a result of a ransomware attack on Fulton County in January, and the “stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming U.S. election.”

In addition, they demanded that the “.gov sector” be targeted more frequently and claimed that the server from which the authorities had obtained over 1,000 decryption keys contained nearly 20,000 decryptors, the majority of which were secured and made up roughly half of all the decryptors created since 2019. They continued by saying that the affiliates' nicknames had “nothing to do with their real nicknames on forums and even nicknames in messengers.”

But that's not all. The article also made an effort to malign law enforcement, asserting that the FBI's efforts are "aimed at destroying the reputation of my affiliate program" and that the true “Bassterlord" has not yet been found. Why did recovery take four days? Since there was an issue, I had to modify the source code for the most recent version of PHP,” they stated.

“I'll quit being lazy and make sure that every build loader has the highest level of protection possible. There won't be any automated trial decrypts going forward; instead, all trial decrypts and decryptor issuance will only be done manually. As a result, the FBI won't be able to obtain a single decryptor for free in the potential future attack.”

Three Users of SugarLocker Are Arrested in Russia

This comes after three people were taken into custody by Russian law enforcement about the SugarLocker ransomware organization. Among them is Aleksandr Nenadkevichite Ermakov, also known by the aliases blade_runner, GustaveDore, and Jim Jones.

“The attackers worked under the guise of a legitimate IT firm Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers, and online stores," F.A.C.C.T., a Russian cybersecurity "The company openly posted ads for hiring new employees.”

Additionally, the operators are alleged to have developed proprietary malware, set up phishing sites for online retailers, and directed user traffic to fraudulent schemes that are well-liked in the countries of the Commonwealth of Independent States (CIS) and Russia.

The ransomware-as-a-service (RaaS) model was later introduced for SugarLocker, which initially surfaced in early 2021. Through an affiliate scheme, SugarLocker leased its malware to other partners to infiltrate targets and deliver the ransomware payload.

The affiliates receive around three-quarters of the ransom money; if the payment reaches $5 million, that percentage rises to 90%. Intel 471 earlier revealed the cybercrime gang's connections to Shtazi-IT last month.

Ermakov's arrest is noteworthy because it follows the imposition of financial sanctions by Australia, the United Kingdom, and the United States on him because of his purported involvement in the 2022 ransomware assault against Medibank, a health insurance provider.

Approximately 9.7 million of its current and past clients were unauthorizedly accessed as a result of the ransomware attack, which happened in late October 2022 and was ascribed to the now-defunct REvil ransomware group.

Names, dates of birth, Medicare numbers, and private medical records about drug usage, mental health, and sexual health were among the data that was pilfered. Additionally, a few of these records ended up on the black web.

It also comes after a news agency TASS report that stated a 49-year-old Russian national is going to go on trial for allegedly conducting a cyberattack on technological control systems that resulted in the loss of electricity for 38 Vologda villages.

LockBit Saga — Timeline of Events

February 20, 2024

LockBit Busted - Authorities Seize Darknet Domains

Successfully taken over by Europol and 11 other nations, the ransomware outfit LockBit, which has stolen over $91 million from victims since 2019, was connected to darknet sites. The operation, known as Cronos, severely harmed LockBit's operations by taking advantage of a PHP security hole to interfere with the company's websites.

February 21, 2024

Hackers Using LockBit Arrested; Decryption Tool Presented

The UK's NCA removes the LockBit ransomware, detains two people in Poland and Ukraine, freezes more than 200 cryptocurrency accounts, and indicts two Russians in the US. Took control of LockBit's intelligence, code, and 34 servers; they also recovered 1,000 decryption keys. LockBit made $120 million and impacted 2,500 people worldwide. For victims, a decryption tool is accessible.

February 22, 2024

$15 Million Bounty on Leaders of the LockBit Ransomware

The US State Department is offering a $15 million reward for information on the leaders of the LockBit ransomware, which has been responsible for over 2,000 global attacks since 2020 and caused $144 million in damages. LockBit was interfered with by law authorities, who detained affiliates and seized property. Despite difficulties, LockBit, which is well-known for its ransomware-as-a-service, wide affiliate network, and creative strategies including a bug reward program, is still a serious cyber threat.

February 25, 2024

Kingpin of the LockBit Ransomware 'Engages' with Police

After a major global campaign to shut down the ransomware-as-a-service known as campaign Cronos, the person or people responsible for the LockBit ransomware service, also known as LockBitSupp, have cooperated with law enforcement.

February 26, 2024

LockBit Returns and Demands Attacks on the US Government

Shortly after law enforcement confiscated its servers, the LockBit ransomware organization reappeared on the dark web with a fresh setup. On its data leak portal, the gang has disclosed the names of twelve additional victims and discussed the takeover of its websites, citing the possibility of exploiting a PHP flaw.