LockBit has announced its operations have resumed a week after a multinational law enforcement investigation named Operation Cronos claimed to have neutralised the infamous ransomware gang. In a rambling message posted to a new .onion site, an individual writing on behalf of the group admitted negligence in allowing the FBI and the UK’s National Crime Agency (NCA) to commandeer its servers via a PHP attack but promised that backups were in place and that the gang remained operational.
“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” promised the author, who went on to list specific backup blog domains and mirrors that they claimed remained unaffected by Operation Cronos. “Even after the FBI hack, [any] stolen data will be published on the [LockBit] blog.”
LockBit ransomware gang old and infamous
First observed in 2019, LockBit ransomware has been launched via a network of over 200 affiliates against countless SMEs and several “big game” targets, including the NHS, Taiwanese chip giant TSMC and the Japanese port of Nagoya. Last week it appeared to have been finally neutralised by Operation Cronos after the FBI deployed a PHP exploit that allowed it to wrest control of 28 servers and obtain control of the gang’s private messages, intelligence on past, present and future operations, data belonging to victims and the source code for the gang’s platform.
In a message posted on Saturday, the group’s admin admitted that the operation had achieved so much thanks to their “personal negligence and irresponsibility” in not updating the PHP settings on LockBit’s servers in good time. The author went on to dispute several claims made by members of Operation Cronos, including that it had led to the arrest of two alleged affiliates of the gang (“[t]hey are probably just people who are laundering cryptocurrencies”), that LockBit had donated to a Crimea-based Russian propagandist (“I don’t know any military journalist from Sevastapol Colonel Cassad”) and that it had recovered a high number of decryptors.
LockBit did not dispute the FBI’s statement that the group’s annual income was over $100m, a figure presumably reached after it analysed data on hundreds of cryptocurrency wallets seized during Operation Cronos. “This is true,” said the author, implying that they had deleted chats in the past containing evidence of LockBit ransomware payments that put the group’s revenues above the estimates of US law enforcement. “These numbers show that I am on the right track, that even if I make mistakes[,] it does not stop me.”
Gang down, but not out
Signs that LockBit had not been eliminated by Operation Cronos emerged almost as soon as its supposed takedown by law enforcement was reported, with a message from the gang’s admin claiming that backup servers that did not contain PHP had not been affected. A few days later, researchers from cybersecurity firms Sophos and Huntress also observed that LockBit ransomware was being deployed by hackers exploiting vulnerabilities in the remote access tool ConnectWise ScreenConnect.
“We can’t attribute [these attacks] directly to the larger LockBit group, but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement,” Huntress senior director of threat operations Max Rogers told TechCrunch.