Despite several law enforcement agencies coming together to disrupt the ransomware group’s operations, there are now reports that the cybercriminal gang is back in action.

The cybercriminal gang is back in action. (Image generated by AI).

Is the LockBit ransomware group back?

  • After a disruption by law enforcement agencies, the LockBit ransomware group is back. 
  • The ransomware group claims that they are still operational in a new site on the dark web. 
  • The group also threatens to launch more cyberattacks on the US.

Spoilers: the LockBit ransomware group is back. Despite several law enforcement agencies coming together to disrupt the ransomware group’s operations, there are now reports that the cybercriminal gang is back in action.

According to a report by Reuters, the ransomware group claims to have restored its servers and be back in business. The cybercriminal gang initially had its services disrupted by a joint operation from international law enforcement agencies which included the FBI, Europol and the UK’s National Crime Agency.

The operation claimed to have taken over several key assets of the ransomware group, including sites and platforms they use to run their activities. Several members of the ransomware group were also arrested and indicted.

LockBit released a statement stating that law enforcement had hacked their dark web site using a vulnerability in the PHP programming language, which is widely used to build websites and online applications.

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement, which was posted in English and Russian on a new version of Lockbit’s dark web site.

A spokesperson for Britain’s National Crime Agency, which led the international effort to seize Lockbit’s operations, told Reuters that the group “remains completely compromised.”

“We recognized LockBit would likely attempt to regroup and rebuild its systems. However, we have gathered a huge amount of intelligence about it and those associated with it, and our work to target and disrupt them continues,” the spokesperson said.

The Guardian reported that the US charged two Russian nationals with deploying LockBit ransomware against companies and groups around the world. Police in Poland also made an arrest, and in Ukraine, police arrested a father and son they said carried out attacks using LockBit’s malicious software.

The ransomware group also posted on its new site that it plans to attack US government sites more often. Its revamped website, launched on Saturday, showed a number of purported hacking victims.

The LockBit ransomware group threatened to launch more cyberattacks on the US.

The LockBit ransomware group threatened to launch more cyberattacks on the US.

Preparing for a LockBit ransomware group retaliation

Tech Wire Asia caught up with Christopher Budd, director for Sophos X-Ops on the latest updates. Budd shared his views on the recent takedown of LockBit’s site and the need for businesses to be even more prepared to deal with retaliation from the ransomware group.

“Following word that LockBit’s website may be back up and running, it’s important to note another risk that groups like LockBit pose. Even if a ‘take down’ is 100% effective at nabbing all the members of LockBit, its infrastructure and malware, it won’t stop the malware that’s already in the wild and now outside of that group’s control.

“New Sophos X-Ops threat intelligence on exploitation attacks of ScreenConnect vulnerabilities highlights this very real threat. Malware in these attacks was built using the LockBit 3 ransomware builder tool that was leaked in 2022, meaning the malware used in these attacks may not have originated with the actual LockBit developers. Because of that leak, there is malware out there being used in attacks that are outside of the control of the LockBit group.

“This underscores another, often overlooked way in which these criminal groups threaten everyone: their offensive capabilities become part of the broader threat environment, subject to no one’s control. You can be threatened and attacked by the malware developed by a group like LockBit without being threatened and attacked by the group directly,” commented Budd.

Sophos X-Ops has been tracking the evolution of LockBit over the past four and a half years. According to an analysis by the Sophos X-Ops Incident Response team, LockBit has been among the top 10 most reported ransomware infections since 2020; with the demise of Conti in early 2022, LockBit vaulted to the top of the charts. It ultimately accounted for one in five of all ransomware infections seen by Sophos’s IR in 2023 – comparable in ubiquity in that data to Conti at its peak.  

LockBit - back from the not-nearly-dead-enough.

A handout picture released by Britain’s National Crime Agency (NCA) in London on February 20, 2024 shows a screenshot of the seized cybercrime group ‘LockBit’ site.  (Photo by NATIONAL CRIME AGENCY/AFP).

Meanwhile, Dean Houari, director of security technology and strategy at Akamai, pointed out that ransomware gangs are nimble and a variant of the LockBit gang could fill the void and soon take over with even more damaging tools.

“The most effective security strategy is to prevent attackers from accessing and encrypting the data on critical servers and have a backup in the event they are able to breach an environment. Now is the time for organizations to reassess the state of their security postures. A thorough understanding of attack surfaces, along with strong processes and playbooks to prevent and recover from ransomware attacks are essential,” said Houari.

Houari also explained that implementing a zero-trust architecture starting with software-defined micro-segmentation to prevent lateral movement post-breach is critical.

“Full network visibility to identify indicators of compromise (IoCs) will enable a more offensive posture against ransomware attacks and allow compliance with local cybersecurity regulations,” he added.