fbpx
News Hub

LockBit ransomware group back online after international police disruption

Written by Wed 28 Feb 2024

Russian-based ransomware gang, Lockbit, said it has restored its servers and is back online following an international police operation last week that took it offline.

LockBit said law enforcement breached their dark website by exploiting a PHP programming language vulnerability, commonly used for building websites and online applications.

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement posted on LockBit’s dark website.

A spokesperson for the UK’s National Crime Agency (NCA), who led the international operation against LockBit, said the group remains ‘completely compromised’.

The NCA recognised that LockBit would likely attempt to regroup and rebuild its systems to facilitate their return online.

“However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues,” said the NCA.

LockBit’s new site advertised a small number of alleged victims and leaked data. The new site showcased a gallery of company names alongside a countdown clock indicating the ransom payment deadline.

LockBit’s alleged leader, LockBitSupp, announced the group’s intensified focus on targeting government agencies following the takedown operation. Recently, reports have surfaced that LockBit has attacked Ernest Health, a network of 36 rehabilitation and critical care recovery hospitals spanning 13 US states.

“LockBit is back to attacking hospitals, Ernest Health allegedly breached,” said Dominic Alvieri on X (formerly Twitter).

Businesses Urged to Remain Vigilant

Vice President of Threat Research and Intelligence at BlackBerry Cybersecurity, Ismael Valenzuela, said the takedown of LockBit represented a positive step forward in curbing ransomware. However, the relaunch of its servers has ‘made it clear that victories are likely to be short-lived’. 

“Ultimately, LockBit’s absence will only create a vacuum for others to fill, particularly those who are already active yet largely unidentified,” said Valenzuela.

Valenzuela added there was a 70% increase in novel malware attacks, with healthcare and critical infrastructure being two of the most prominent areas where novel malware was found.

“This is likely how we will see LockBit’s space filled in the short-term, financiers working with smaller groups to develop resource-intensive but hard-to-detect novel malware with high ROI potential on profitable sectors,” stressed Valenzuela. 

Dan Lattimer, Vice President for the UK and Ireland at Semperis, concurred with Valenzuela’s statements. Lattimer highlighted that, after stealing over £79.1 million ($100 million) in ransom payments, LockBit was not ‘going to go quietly in the wind’.

“The fight between defenders and adversaries is an around-the-clock battle and it was only a matter of time before the group resurfaced in its entirety or its members joined other ransomware groups,” said Lattimer.

Lattimer stressed the necessity for businesses not to let their guard down against threat actors. Instead, organisations should build organisational and operational resiliency to mitigate the impact of future attacks.

This involves immediately assessing critical systems and adopting an ‘assume breach’ mindset. It also entails monitoring unauthorised changes in their Active Directory infrastructure, maintaining real-time visibility into changes in elevated network accounts and groups, backing up systems for clean recovery, and preserving compromised environments for full forensic investigation.

“Overall, it does not pay-to-pay ransoms, ever, unless your organisation is in a life-and-death situation. No organisation has ever paid its way out of ransomware,” said Lattimer.

LockBit’s Operational Takedown

Last week, LockBit, was disrupted by the UK’s National Crime Agency (NCA) along with the Federal Bureau of Investigation (FBI), and Europol.

Operation Cronos resulted in the NCA seizing control of LockBit’s main administration platform, ‘compromising their entire criminal enterprise’. Affiliates utilise this platform to coordinate attacks and manage their dark web leak site, where they threaten to publish stolen data. 

LockBit used a custom tool called Stealbit to exfiltrate data. The infrastructure of LockBit was seized across three countries by members of the Operation Cronos taskforce. A total of 28 servers belonging to LockBit affiliates were taken offline.

Earlier this month, LockBit said it was responsible for a cyberattack on the US subsidiary of Indian digital services company, Infosys. The ransomware group’s attack affected more than 57,028 Infosys McCamish Systems users.

In January, LockBit claimed to have breached and stolen corporate data from Subway, prompting the company to investigate the attack on its IT systems. 

In November, a division of the Industrial and Commercial Bank of China (ICBC) experienced a ransomware attack. The attack caused disruptions in the US Treasury market, resulting in the clearing of fixed-income and equity trades. LockBit was suspected to be behind the ICBS attack however, this was not confirmed.

Join Cloud & Cyber Security Expo

6-7 March 2024, ExCeL London

Cloud & Cyber Security Expo is one of the largest IT security events in Europe.

Don’t miss the chance to build partnerships and discover solutions to protect your business.

Written by Wed 28 Feb 2024

Send us a correction Send us a news tip