LockBit ransomware group back? And new findings

Sicherheit (Pexels, allgemeine Nutzung)[German]Recently, international law enforcement agencies have announced the dismantling of the LockBit ransomware group's infrastructure. However, this appears to have been only a brief success – the LockBit ransomware group has set up new servers and appears to be back in business. Meanwhile, new findings have emerged following the dismantling of the LockBit ransomware group's infrastructure by the FBI and the UK's National Crime Agency (NCA).


LockBit ransomware group hacked

Lockbit is a Russian-speaking group that operates Ransomware-as-a-Service ( RaaS). In this model, the ransomware and infrastructure are made available to other cybercriminals, known as affiliates, who then carry out the attacks. The group is held responsible for numerous cyber incidents.

Lockbit website seized

The ransomware group's servers were hacked, probably due to a PHP vulnerability. The above seizure message was displayed on some of the group's websites. In the article Operation Cronos: FBI & Co. seized infrastructure of the Lockbit ransomware gang, I reported on the seizure of the LockBit infrastructure by law enforcement agencies (including the British National Crime Agency (NCA) and FBI) and provided some details. Further information can be found on the NCA website in this article.

Trend Micro presents more details

Security vendor Trend Micro claims to have been involved with law enforcement agencies such as the NCA in breaking up the group and preventing its long-term plans. In cooperation with the British National Crime Agency (NCA), Trend Micro was able to analyse the unreleased version of the LockBit encryptor (called Lockbit-NG-Dev), which was still under development (see below). According to Trend Micro, this has rendered the entire product line unusable for cybercriminals in the future. A detailed blog post analyses extremely sensitive data from the cybercriminal group.

In a statement Trend Micro told me, that they believes that the LockBit group has been stripped of its business model. Because no sensible criminal wants to be associated with the discredited gang, they say. The security researchers recognize that the LockBit criminal group has been innovative and has tried out new things. However, this has been less the case recently.


LockBit 1.0 to 3.0

Over the course of this development, LockBit has released several versions of its ransomware, from version v1 (January 2020) to LockBit 2.0 (nicknamed "Red", from June 2021) and LockBit 3.0 ("Black", from March 2022). In October 2021, the threat actor also began to cover Linux with its ransomware. Finally, in January 2023, an intermediate version "Green" appeared, which contained code that was apparently taken from the no longer existing Conti ransomware group (which was not the new LockBit version 4.0).

LockBit 4.0

Recently, Trend Micro security researchers were able to analyse a sample that they believe is a version of a platform-independent LockBit malware under development that differs from previous versions. The sample adds the suffix "locked_for_LockBit" to encrypted files, which is part of the configuration and can therefore still be changed. Due to the current state of development, the TM people called this variant LockBit-NG-Dev. According to the Trend Micro specialists, this variant could form the basis for LockBit 4.0. The fundamental changes include the following:

  • LockBit-NG-Dev is written in .NET and compiled with CoreRT. If the code is used together with the .NET environment, it is therefore platform-independent.
  • The code base is completely new due to the switch to this language, which means that new security patterns will probably have to be created to detect the LockBit 4.0 malware.
  • Compared to v2 (Red) and v3 (Black), it has fewer functions, but these will probably be added in the course of further development. As it stands, it is still a functional and powerful ransomware.
  • The ability to self-distribute and print ransom notes from the user's printer has been removed.
  • The execution now has an expiry date by checking the current date, which is likely to help operators maintain control over affiliate use and make it harder for automated security company analysis systems.
  • Similar to v3 (Black), this version still has a configuration that includes flags for routines, a list of processes and service names to terminate, and files and directories to avoid.
  • In addition, the filenames of encrypted files can still be renamed to a random name.

A detailed technical analysis of LockBit-NG-Dev can be found in the aforementioned Trend Micro blog post.

Problems within the group

According to Trend Micro, the LockBit gang has recently been struggling with problems both internally and externally. This has jeopardised their position and reputation as one of the leading RaaS providers. The problems include fake posts from victims and an unstable infrastructure for ransomware operations. Missing download files in alleged releases and new rules for partners have also further strained the group's relationships, Trend Micro said. Attempts to recruit affiliates from rival groups and a long overdue release of a new LockBit version also point to the group's loss of appeal.

The criminals behind the LockBit ransomware has proven successful in the past, according to Trend Micro. LockBit has consistently been one of the highest-impact ransomware groups throughout its history. However, in recent years, the group appears to have experienced a number of logistical, technical and reputational issues.

This has forced LockBit to take action and work on a new, highly anticipated version of their malware (the aforementioned version 4.0). However, given the apparent delay in bringing a robust version to market and the ongoing technical issues, Trend Micro says it remains to be seen how long the group will be able to attract top affiliates and maintain its position.

The seizure of the LockBit infrastructure, the freezing of crypto accounts and the confiscation of affiliate lists are not things that will make the group's affiliates happy. They have to fear that they will become the focus of law enforcement and have also lost the ability to access the previous LockBit infrastructure. In the meantime, the Trend Micro folks are hoping that LockBit is the next big ransomware group that disproves the notion that an organisation is too big to fail.

The results of the seizure operation

Trend Micro provided me with some more information about the law enforcement action. According to Trend MIcro, the behind-the-scenes operation included cryptocurrency seizures, arrests, indictments, the imposition of sanctions, and in-depth technical support for the victims. The joint operation also includes the takeover of the LockBit Leak site, the disclosure of personal identities and information about group members and details of their previous criminal activities. These measures will discredit the group in the cybercrime community and, according to Trend Micro, make it unviable as an underground organisation for criminals.

Although LockBit was undoubtedly the largest and most influential ransomware operation in the world, the "disruption", according to Trend Micro, makes it clear that criminal partners should reconsider any future collaboration with this group and that by cooperating they expose themselves to an increased risk of prosecution. According to Trend Micro, the operation's actions against the group led to the following results:

  • The neutralisation of a potentially widespread strain of ransomware and the prevention of future attacks.
  • A law enforcement operation that will hopefully put an end to LockBit and set a new benchmark for international co-operation between law enforcement agencies and private partners.
  • Eliminating the threat of a new generation of ransomware thanks to Trend Micro's analysis.

Trend Micro is in regular dialogue with the Federal Bureau of Investigation (FBI) and the National Crime Agency (NCA) on the matter. However, insiders are not naive enough to assume that the criminal group will be wiped out once the LockBit infrastructure has been seized. However, the specialists at Trend Micro are certain of one thing: no sensible criminal would want to be associated with this group again.

But LockBit seem back

In my article Operation Cronos: FBI & Co. seized infrastructure of the Lockbit ransomware gang, I had already reported that not all Lockbit servers had been confiscated. A few hours ago, vx-underground pointed out in the following tweet that Lockbit had restored its servers. These are accessible via new Tor domains.

Lockbit Server restored

A new blog and the new leak site of the LockBit ransomware gang are already up and running and entries are being added. There, the LockBit ransomware gang has also published a message to the FBI in English and Russian. The statement in English can be found at vx-underground. There, an administrator explains that the servers may have been compromised via the CVE-2023-3824 vulnerability in PHP.

It is confirmed that the FBI gained access to a database, web panel sources and a small number of unprotected decryptors (1,000 out of an alleged 2,000) during the hack. However, most of the decryptors were protected, LockBit claims that only 2.5% of the decryptors generated in the five years of the operation fell into the hands of the FBI.

And the confiscated database only contained the generated nicknames of the partners. However, these had nothing to do with the real nicknames in forums and even nicknames in messengers. The FBI also had access to chats with the attacked companies that had not been deleted and therefore also to the wallets for the ransom payments.

According to my information, crypto money from ransomware totalling over 100 million euros has been confiscated (the colleagues at Bleeping Computer have compiled some information here). These wallets allow law enforcement to search for affiliates who attempted to convert the contents of the crypto wallets into money without laundering it through crypto mixers. Arrests and indictments are likely to be made in this area.

However, the statement, the veracity of which cannot be verified (some will be "whistling in the woods"), says that this will not stop the LockBit gang from continuing their work. In the text, however, the ransomware group provides a list of backup blog domains to which the FBI has not had access. It contains data from companies that have fallen victim to the group.

LockBit wants to name more victims – so it will be interesting to see whether there will be more LockBit attacks in the future.

Is a LockBit member co-operating with the authorities?

Addendum: The Hacker News reports in this article that the person behind LockBitSup is cooperating after the seizure. It says: "LockBitSupp, the person(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has teamed up with law enforcement," authorities said."

This development comes after the takedown of the widespread Ransomware-as-a-Service (RaaS) operation. More than 14,000 fraudulent accounts with third-party services such as Mega, Protonmail and Tutanota, which were used by the criminals, were shut down. I can't say whether this is true or not, it could also be deliberate disinformation.

Similar articles:
Operation Cronos: FBI & Co. seized infrastructure of the Lockbit ransomware gang
Shimano is a victim of the Lockbit 3.0 ransomware (Nov. 2023)
Accenture victim of Lockbit ransomware
Nagoya port (Japan) victim of Lockbit 3.0
Russian-Canadian lockbit affiliate arrested in Canada
Lockbit attackers abuse Windows Defender to load Cobalt Strike

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *