LockBit leak site is back online

LockBitSupp, the individual running the LockBit ransomware-as-a-service operation, has made good on one promise: the LockBit leak site is back online on backup domains, with lists of victims expected to be unveiled in the coming days.

Law enforcement strikes LockBit RaaS gang

Last week, Operation Cronos hit LockBit hard by taking over their leak site and affiliate panel, disrupting part of their infrastructure, and arresting some suspected affiliates.

It followed up by teasing a reveal of LockBitSupp’s identity but, in the end, they only said that they know who he is, where he lives, and how much he is worth.

They mentioned that LockBitSupp doesn’t live in the US or the Netherlands (as he claimed), and that “he drives a Mercedes (though parts may be hard to source)”, implying that he lives in a country under sanctions, likely the Russian Federation.

They concluded their reveal with a cryptic statement: “LockbitSupp has engaged with Law Enforcement,” complete with a smiley emoji.

Return of LockBit

Operation Cronos also shared a list of LockBit 3.0 affiliates last week. The list doesn’t really mean much to the public as the affiliates are listed by nickname, but could possibly scare the affiliates, make them think that the authorities will be able to find their real world identities, and make them think twice about continuing their attacks.

With the leak site back online, LockBitSupp has released a message to the FBI in English and Russian, admitting that they’ve become lazy and irresponsible when it comes to patching, thereby allowing law enforcement to exploit a known PHP vulnerability to compromise two of the RaaS operation’s main servers.

LockBitSupp also claims that:

• The FBI hacked the servers and took over the leak site to prevent the leaking of sensitive information stolen by the gang (or an affiliate) from government computer systems in Fulton County, Giorgia
• The feds did not manage to get their hands on as many decryptors as they claim
• The gang has backups of the data stolen from victims
• They will be taking steps to prevent similar actions from succeeding in the future

“All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me,” LockBitSupp wrote.

You can review the very long message on DataBreaches.net but its overarching aim is to convince affiliates that they can still trust the LockBit operators. (The extensive taunting of law enforcement and the mocking of their efforts essentially serves that same purpose.)

A global anti-ransomware effort is underway

Time will prove whether LockBit’s message is successful, but even if it’s not, there are unfortunately other RaaS gangs out there the affiliates can hitch their wagon to.

However satisfying law enforcement actions like these are for most people, it may also seem to the public that the agencies are involved in a game of Whac-a-Mole: you hit one RaaS and another takes its place.

But these actions are just one of the many available tools that are being used in concert to combat the global ransomware threat.

UPDATE (March 4, 2024, 04:25 a.m. ET):

While LockBit claims that Fulton County has paid the ransom and that’s why they haven’t leaked the stolen info, Fulton County leaders said they haven’t paid nor directed a third party to pay the ransom on their behalf.

Emsisoft threat analyst Brett Callow noted that LockBit seems to be recycling old incidents in an effort to appear active.