Rewterz Threat Update – LockBit Relaunches Ransomware Operation After Restoring Servers on New Infrastructure

Severity

High

Analysis Summary

The LockBit ransomware gang has returned in less than a week on a new infrastructure after law enforcement hijacked its servers, and is now threatening to target the government sector in more of its attacks. The gang posted a long message under a mock-up FBI leak about its negligence that enabled the breach and also talked about its operation plans for the future.

Yesterday, LockBit announced on its new data leak website that it is resuming the ransomware operation as well as communicating about damage control admitting to its negligence and irresponsibility that led to “the FBI” disrupting its activity in Operation Cronos. The ransomware gang kept its brand name and moved its data leak website to a new address on the dark web that currently lists five victims and shows countdown timers for publishing the stolen data if the ransom isn’t paid on time.

Police authorities took down LockBit’s infrastructure on February 19^th, including 34 servers that hosted its data leak website and its mirrors, cryptocurrency addresses, the data stolen from the victims, decryption keys, and the affiliate panel. Just after the takedown, the ransomware gang confirmed the breach and stated that they only lost the servers that were running PHP, while the backup systems without PHP were not affected. After five days, LockBit is back and provided details about the breach and its plans to run the business moving on by making its infrastructure more difficult to break into.

The LockBit operator referred to the law enforcement collectively as the FBI and said that they only managed to breach the two main servers because of their personal negligence and irresponsibility after 5 years of “swimming in money” and didn’t update the PHP server on time. LockBit also stated that the victim’s chat and admin panels server as well as the blog server were all running PHP 8.1.2 and it is very likely that they were breached by leveraging a critical vulnerability tracked as CVE-2023-3824.

The threat actor said that they have now updated the PHP server and also announced a reward for anyone who can find a vulnerability in the latest version. The ransomware operator speculates the reason that the law enforcement hijacked their infrastructure was due to the ransomware attack on Fulton County in January, which had the risk of leaking information about Donald Trump’s court cases and other things that could have an impact on the upcoming U.S. elections. This has led LockBit to believe that by focusing its attacks more on the government sector, it might be able to force the FBI to show if it possesses the ability to attack the ransomware gang. Finally, the LockBit operator said that law enforcement managed to obtain a database, some web panel sources, a small portion of unprotected decryptors, and locker stubs that are not sourced as they claim.

During Operation Cronos, the law enforcement authorities managed to collect over 1,000 decryption keys, while LockBit claims that the authorities gained these keys from unprotected decryptors and that on the breached server there were about 20,000 decryptors. These are about half of the approximately 40,000 decryptors that have been generated over the operation’s lifetime.

The LockBit operator defines these unprotected decryptors as builds of the file-encrypting malware that didn’t have the full decryption protection feature enabled, which is usually used by low-level affiliates who take small ransoms of only $2,000. LockBit has plans to upgrade the security of its infrastructure and switch to manually releasing decryptors and trial file decryptions. They also plan to host the affiliate panel on various servers and provide access to different copies to its affiliates based on trust level.

The ransomware gang said, “Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced.”

This lengthy message from LockBit appears to be damage control and an attempt to reattain its credibility for a tainted reputation as the gang took a heavy blow, even if it managed to restore the servers in the end, its affiliates have enough reason to not trust them as much as before.

Impact

• File Encryption
• Financial Loss
• Sensitive Data Theft

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Keep your software up to date. Software updates often include security patches that can help to protect your systems from known vulnerabilities.
• Use strong passwords and multi-factor authentication. This will make it more difficult for attackers to gain access to your systems.
• Back up your data regularly. This will help you to recover if your systems are encrypted by ransomware.
• Deploy robust endpoint security solutions, including antivirus, anti-malware, and intrusion detection systems, to detect and prevent threats like LockBit ransomware.
• Immediately disconnect or isolate the compromised systems from the network to prevent the malware from spreading further. This may involve shutting down affected servers or segments of the network.
• Conduct a thorough investigation to determine the extent of the breach, including identifying which systems and data were compromised.
• Develop a long-term cybersecurity strategy to prevent future incidents, including investing in advanced threat detection and response capabilities.