LockBit ransomware gang resurfaces after law enforcement disruption
In a bold move, the gang admitted to negligence in upkeeping its servers, leading to the breach by law enforcement. The gang outlined its future plans, emphasising a heightened focus on government sectors.
LockBit, the notorious ransomware gang, resurfaced just days after a law enforcement operation dismantled their servers.
The recent law enforcement takedown on 19 February crippled LockBit’s operations, seizing 34 servers and compromising their data leak website. However, the gang quickly bounced back, attributing the breach to outdated PHP servers and acknowledging their own complacency over five years of illicit gains.
LockBit revealed that law enforcement, whom they collectively referred to as the FBI, exploited vulnerabilities in servers running PHP 8.1.2 and that they were likely hacked using the CVE-2023-3824 vulnerability. This lapse in updating allowed the breach to occur, resulting in the compromise of admin and chat panels, along with the blog server. The gang’s admission of fault and the subsequent upgrade of their PHP server showcased an effort to fortify their infrastructure against future attacks.
LockBit claims law enforcement acquired a database, web panel sources, and a fraction of unprotected decryptors during the operation. In an attempt to regain trust, LockBit announced rewards for identifying vulnerabilities and unveiled plans for enhanced security measures, including manual release of decryptors and decentralised affiliate panels.
Despite the setback, LockBit remains a formidable threat: reports indicate that LockBit ransomware attacks persist in the wild, showcasing the gang’s resilience. Sophos X-ops released research revealing ongoing attacks using the LockBit 3.0 variant, exploiting critical vulnerabilities in ConnectWise ScreenConnect remote access software. The vulnerabilities, disclosed on 13 February, were rated severe, with urgent patches released on 19 February. However, slow client response to patching created a window of vulnerability, with thousands of servers worldwide still running outdated software.
LockBit’s resurgence is affirmed by a post on X by malware repository vx-underground, suggesting the gang is regaining strength. The repository claims it communicated with LockBit administrators, who promised a formal reply to law enforcement once their infrastructure restoration is complete.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.