LockBit ransomware gang attempts to relaunch its services following takedown

The LockBit ransomware gang is attempting to relaunch its cyber extortion operation following a law enforcement takedown that saw police seize the criminals’ infrastructure and darknet site, as well as obtain a significant intelligence haul, last week.

LockbitSupp, the group’s administrator, opened a new extortion site on Saturday, which currently features the names of five victim companies from whom the criminals are threatening to leak stolen documents. However, the site no longer shows any of the old listings from before the law enforcement operation.

The prolific ransomware-as-a-service outfit had hosted documents stolen from more than 2,000 victims since its launch four years ago — the most of any of the multiple extortion gangs operating on the dark web — until last Monday when police uploaded a splashpage to the site declaring that it was now under their control.

Following its .onion site being hijacked by the U.K.’s National Crime Agency (NCA) — which went on to parody the gang in a week of posts about police’s “unprecedented technical access” to LockBit’s infrastructure — the ransomware service attempted to downplay the extent of that access.

Despite the arrests of alleged affiliates and more than 14,000 accounts being shut down on third-party services — as well as the revelation that the ransomware gang did not delete data from victims after payment, despite promising to do so — a post on LockBit’s new site attempts to minimize the reputational damage caused by the police action, and repeats early claims by the criminals that police had compromised servers running outdated versions of PHP.

This argument about the nature of the compromise was addressed in a press conference last Tuesday, when Graeme Biggar, the director general of the NCA, said his staff had seen “some of the messaging that has come out from LockBit this morning.”

Biggar said: “This stuff can spin up in little ways. There are fragments and remnants of it knocking about online. But we have taken control of the core bit, we have destroyed a huge amount of data.”

In a lengthy cryptographically signed letter, LockbitSupp inaccurately claimed that it was hacked by the FBI — when in fact the operation was conducted by the NCA — because of a ransomware attack on Fulton County, Georgia. In fact, the operation to disrupt the gang began back in 2022.

The letter claimed that law enforcement didn’t want to see information stolen from Fulton Country published because it regarded court cases against Donald Trump that, they alleged without evidence, “could affect the upcoming US election.”

“Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet,” wrote LockbitSupp, the gang’s administrator who, despite an imperfect grasp of English grammar, has claimed to be based in the United States.

On the seized website, law enforcement stated they know he is not based in the U.S. and suggested he is based in Russia, while also claiming that LockbitSupp has “engaged with law enforcement.”

Announcing the takedown on February 20, Biggar said the law enforcement operation was not intended to be a final nail in the coffin of the ransomware ecosystem: “Sometimes the individuals or the infrastructure is out of our jurisdictional reach, [so] we have to attack what we can and disrupt where we can.

“But I think what we are showing over the last few years and with this disruption, is that we can have a real impact with our law enforcement capabilities against this threat,” said Biggar, acknowledging: “But it will never be complete.”