LockBit Ransomware Hackers Reemerge after Law Enforcement Takedown

Following a recent crackdown by law enforcement agencies that temporarily disrupted their operations, the LockBit ransomware group has resurfaced on the dark web with renewed vigor. In a strategic move, they have migrated their data leak portal to a new .onion address on the TOR network, showcasing 12 additional victims since the intervention.

In a detailed communication, the administrator of LockBit acknowledged the seizure of some of their websites, attributing the breach to a critical PHP vulnerability known as CVE-2023-3824. They admitted to neglecting to update PHP promptly, citing personal oversight. Speculating on the method of infiltration, they hinted at the exploitation of the known vulnerability, expressing uncertainty due to the pre-existing vulnerable version on their servers.

Furthermore, the group alleged that the U.S. Federal Bureau of Investigation (FBI) infiltrated their infrastructure in response to a ransomware attack on Fulton County in January. They claimed that the compromised documents contained sensitive information, including details on Donald Trump's legal cases, potentially impacting future U.S. elections. Advocating for more frequent attacks on government sectors, they disclosed that the FBI's seizure of over 1,000 decryption keys revealed the existence of nearly 20,000 decryptors, emphasizing enhanced security measures to thwart future interceptions.

In an attempt to undermine law enforcement credibility, the post challenged the authenticity of the identified individuals, alleging a smear campaign against their affiliate program. Despite the setback, the group pledged to fortify their encryption mechanisms and transition to manual decryption processes to prevent unauthorized access by authorities in future endeavors.

Meanwhile, Russian authorities have apprehended three individuals, including Aleksandr Nenadkevichite Ermakov, associated with the SugarLocker ransomware group. Operating under the guise of a legitimate IT firm, the suspects engaged in various illicit activities, including developing custom malware and orchestrating phishing schemes across Russia and the Commonwealth of Independent States (CIS) nations. SugarLocker, initially emerging in 2021, evolved into a ransomware-as-a-service (RaaS) model, leasing its malicious software to partners for targeting and deploying ransomware payloads.

Ermakov's arrest is significant, coinciding with financial sanctions imposed by Australia, the U.K., and the U.S. for his alleged involvement in the 2022 ransomware attack against Medibank. The attack compromised sensitive data of millions of customers, including medical records, subsequently traded on the dark web. Additionally, a separate cyber attack on technological control systems, leaving numerous settlements in the Vologda region without power, underscores the escalating global battle against cyber threats.