Tag Archive for: LockBit

LockBit ransomware group back online after international police disruption

/in


Russian-based ransomware gang, Lockbit, said it has restored its servers and is back online following an international police operation last week that took it offline.

LockBit said law enforcement breached their dark website by exploiting a PHP programming language vulnerability, commonly used for building websites and online applications.

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement posted on LockBit’s dark website, as reported by Reuters.

A spokesperson for the UK’s National Crime Agency (NCA), who led the international operation against LockBit, said the group remains ‘completely compromised’.

The NCA added the Agency recognised LockBit would likely attempt to regroup and rebuild its systems to facilitate their return online.

“However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues,” said the NCA.

The Russia-based group’s new site advertised a small number of alleged victims and leaked data. The new site showcased a gallery of company names alongside a countdown clock indicating the ransom payment deadline.

LockBit’s alleged leader, LockBitSupp, announced the ransomware group’s intensified focus on targeting government agencies following the takedown operation. Recently, reports have surfaced that LockBit has attacked Ernest Health, a network of 36 rehabilitation and critical care recovery hospitals spanning 13 US states.

“LockBit is back to attacking hospitals, Ernest Health allegedly breached,” said Dominic Alvieri on X (formerly Twitter).

Businesses Urged to Remain Vigilant

Vice President of Threat Research and Intelligence at BlackBerry Cybersecurity, Ismael Valenzuela, said the takedown of LockBit represented a positive step forward in curbing ransomware. However, the relaunch of its servers has ‘made it clear that victories are likely to be short-lived’. 

“Ultimately, LockBit’s absence will only create a vacuum for others to fill, particularly those who are already active yet largely unidentified,” said Valenzuela.

Valenzuela…

Source…

Lockbit Ransomware Gang Returns After International Takedown, Arrests

/in


The Lockbit ransomware group is reportedly back online with new servers.

In a lengthy letter posted online this weekend, Lockbit claims that the international group of government agencies that infiltrated it only obtained decryption keys for 2.5% of the attacks the ransomware group has carried out since its inception.

Last week, the US Department of Justice, FBI, the UK National Crime Agency (NCA), Europol, and others announced their joint infiltration of Lockbit’s servers. The US charged two Russian nationals allegedly connected to the ransomware group, and Ukrainian authorities arrested a father-son duo believed to be Lockbit members. At the time, Lockbit administrators said that while their servers that use PHP were infiltrated, their backup servers were “untouched.”

The UK’s NCA has repeatedly asserted that Lockbit is fully compromised in statements provided to PCMag. “The NCA, working with international partners, successfully infiltrated and took control of Lockbit’s systems, and was able to compromise their entire criminal operation,” an agency spokesperson told PCMag via email Monday. “Their systems have now been destroyed by the NCA, and it is our assessment that Lockbit remains completely compromised.”

“We recognized Lockbit would likely attempt to regroup and rebuild their systems,” the NCA continued. “However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”

In the letter from a purported Lockbit administrator shared by malware data collector VXUnderground, the admin claims that Lockbit members became “lazy” after they stole enough money to let them live a luxurious lifestyle “on a yacht with titsy [sic] girls.”

The admin then implies that they are a US voter and says Lockbit’s new servers are running a new version of PHP, promising that anyone who reports any critical vulnerabilities for Lockbit’s new systems “will be rewarded.” Their lengthy letter makes a number of other allegations and contradictory statements, including some regarding the FBI’s supposed motives.

The admin admits, however, that even a PHP update “will not be enough” to stop the FBI and other agencies from…

Source…

Russian-based LockBit ransomware hackers attempt a comeback | Cybercrime

/in


The LockBit ransomware gang is attempting a comeback days after its operations were severely disrupted by a coordinated international crackdown.

The Russian-based group has set up a new site on the dark web to advertise a small number of alleged victims and leak stolen data, as well as releasing a rambling statement explaining how it had been hobbled by the UK’s National Crime Agency, the FBI, Europol and other police agencies in operation last week.

The group said law enforcement had hacked its former darkweb site using a vulnerability in the PHP programming language, which is widely used to build websites.

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement, which was published in English and Russian.

The statement also referred to “my personal negligence and irresponsibility”, declared an intention to vote for Donald Trump in the US presidential election and offered a job to whoever hacked LockBit’s main site.

LockbitSupp, the group’s administrator and presumed author of the statement, does not live in the US, according to law enforcement. The agencies involved in the LockBit operation have also added that “LockbitSupp has engaged with law enforcement”.

In a statement, the NCA said LockBit remains “completely compromised”. A spokesperson said: “We recognised LockBit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”

The US this month charged two Russian nationals with deploying Lockbit ransomware against companies and groups around the world. Police in Poland made an arrest, and in Ukraine police arrested a father and son they said carried out attacks using Lockbit’s malicious software.

The message on the new LockBit site also threatened to attack US government sites more often. Its revamped website, launched on Saturday, showed a number of purported hacking victims.

Rafe Pilling, director of threat research at the cybersecurity firm Secureworks, said the statement and website showed…

Source…

Authorities Claim LockBit Admin “LockBitSupp” Has Engaged with Law Enforcement

/in


LockBitSupp

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, “has engaged with law enforcement,” authorities said.

The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue accounts on third-party services like Mega, Protonmail, and Tutanota used by the criminals have been shuttered.

“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement,” according to a message posted on the now-seized (and offline) dark web data leak site.

The move has been interpreted by long-term watchers of LockBit as an attempt to create suspicion and sow the seeds of distrust among affiliates, ultimately undermining trust in the group within the cybercrime ecosystem.

According to research published by Analyst1 in August 2023, there is evidence to suggest that at least three different people have operated the “LockBit” and “LockBitSupp” accounts, one of them being the gang’s leader itself.

Cybersecurity

However, speaking to malware research group VX-Underground, LockBit stated “they did not believe law enforcement know his/her/their identities.” They also raised the bounty it offered to anyone who could message them their real names to $20 million. It’s worth noting that the reward was increased from $1 million USD to $10 million late last month.

LockBit – also called Gold Mystic and Water Selkie – has had several iterations since its inception in September 2019, namely LockBit Red, LockBit Black, and LockBit Green, with the cybercrime syndicate also secretly developing a new version called LockBit-NG-Dev prior to its infrastructure being dismantled.

“LockBit-NG-Dev is now written in .NET and compiled using CoreRT,” Trend Micro said. “When deployed alongside the .NET environment, this allows the code to be more platform-agnostic. It removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.”

LockBitSupp Ransomware Hacker

One of the notable additions is the inclusion of a validity period, which continues its operation only if the…

Source…