LockBit Ransomware Data Leak Site Restored as Group Remains Defiant

by | Feb 29, 2024

A week ago the LockBit ransomware group looked to be on the ropes, but it has since rebounded from a law enforcement seizure of its data leak site and other assets.

The group has set up a new data leak site, currently populated with a handful of victims being extorted. It also posted a long and defiant rant indicating that it intends to keep operating and that its leader, who goes by “LockBitSupp,” is not working with law enforcement as was previously reported.

Original data leak site replaced, law enforcement says LockBit remains “completely compromised”

The international law enforcement coalition that took down the LockBit ransomware group says that the threat actors remain totally compromised, so it appears that it has been restoring its capacity from backups and setting up new dark web sites. The action against the group, which took place a little over a week ago, resulted in the seizure of its data leak site and affiliate portal among other assets.

LockBit leadership issued a combination press release and rambling rant to address the situation, claiming that the compromise is not as total as law enforcement is portraying. The group said that it was hacked via a known PHP vulnerability in an older version it had failed to patch, but that its assets and backups that do not use PHP were not compromised. That would seemingly explain the speed with which it got a new data leak site up and restored its normal capacity.

The group also promised more attacks on US government organizations, after the country placed a $10 million reward on information leading to arrest of its leadership. UK cybersecurity officials have said that they know the identity of LockBitSupp, but have not yet made it public.

While the rant touched on a broad variety of topics, the central intent was clearly to reassure affiliates that LockBit ransomware remains safe to use. The group has reportedly been seeing an exodus of affiliates already, scared off by the initial seizure of the portal and data leak site. While the group may not have lost much of its capacity, it nevertheless took a serious blow in terms of marketing.

LockBit ransomware victims may not be in the clear

One of the best pieces of news to come out of the law enforcement raid was that thousands of decryptor keys for LockBit 3.0 had been seized. LockBit claims that these keys are all of a lower-level variety used by the smallest fish among its affiliates, however, those that target small businesses or individuals and demand ransoms as low as several thousand dollars.

But at present, the data leak site has fewer victims listed than is normal for the group. It has also been forced to stall the rollout of the “4.0” version of the LockBit ransomware, with some question as to whether this will now even happen before the group dissolves. Law enforcement may not stumble into another known unpatched PHP vulnerability, but they are certainly treating the group as a priority threat.

Recent Posts

How can we help?

9 + 1 =

× How can I help you?