View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 26, 2024

LockBit ransomware gang returns a week after supposed takedown by law enforcement

In a message posted over the weekend, the LockBit ransomware gang said it had been negligent in allowing the FBI and NCA to hack its servers – but promised to target government assets more often by way of revenge. 

By Greg Noone

LockBit has announced its operations have resumed a week after a multinational law enforcement investigation named Operation Cronos claimed to have neutralised the infamous ransomware gang. In a rambling message posted to a new .onion site, an individual writing on behalf of the group admitted negligence in allowing the FBI and the UK’s National Crime Agency (NCA) to commandeer its servers via a PHP attack but promised that backups were in place and that the gang remained operational. 

“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” promised the author, who went on to list specific backup blog domains and mirrors that they claimed remained unaffected by Operation Cronos. “Even after the FBI hack, [any] stolen data will be published on the [LockBit] blog.”

A vector of two locks, one open and one closed, used to illustrate a story about the LockBit ransomware gang.
LockBit ransomware operations have resumed, according to a message posted by the gang this weekend. (Photo by VectorPixelStar / Shutterstock)

LockBit ransomware gang old and infamous

First observed in 2019, LockBit ransomware has been launched via a network of over 200 affiliates against countless SMEs and several “big game” targets, including the NHS, Taiwanese chip giant TSMC and the Japanese port of Nagoya. Last week it appeared to have been finally neutralised by Operation Cronos after the FBI deployed a PHP exploit that allowed it to wrest control of 28 servers and obtain control of the gang’s private messages, intelligence on past, present and future operations, data belonging to victims and the source code for the gang’s platform. 

In a message posted on Saturday, the group’s admin admitted that the operation had achieved so much thanks to their “personal negligence and irresponsibility” in not updating the PHP settings on LockBit’s servers in good time. The author went on to dispute several claims made by members of Operation Cronos, including that it had led to the arrest of two alleged affiliates of the gang (“[t]hey are probably just people who are laundering cryptocurrencies”), that LockBit had donated to a Crimea-based Russian propagandist (“I don’t know any military journalist from Sevastapol Colonel Cassad”) and that it had recovered a high number of decryptors. 

LockBit did not dispute the FBI’s statement that the group’s annual income was over $100m, a figure presumably reached after it analysed data on hundreds of cryptocurrency wallets seized during Operation Cronos. “This is true,” said the author, implying that they had deleted chats in the past containing evidence of LockBit ransomware payments that put the group’s revenues above the estimates of US law enforcement. “These numbers show that I am on the right track, that even if I make mistakes[,] it does not stop me.”

Gang down, but not out

Signs that LockBit had not been eliminated by Operation Cronos emerged almost as soon as its supposed takedown by law enforcement was reported, with a message from the gang’s admin claiming that backup servers that did not contain PHP had not been affected. A few days later, researchers from cybersecurity firms Sophos and Huntress also observed that LockBit ransomware was being deployed by hackers exploiting vulnerabilities in the remote access tool ConnectWise ScreenConnect. 

“We can’t attribute [these attacks] directly to the larger LockBit group, but it is clear that LockBit has a large reach that spans tooling, various affiliate groups, and offshoots that have not been completely erased even with the major takedown by law enforcement,” Huntress senior director of threat operations Max Rogers told TechCrunch

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Read more: 2023 ransomware haul $1.1bn for cyber-gangs

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.