LockBit Ransomware Group Resurfaces After Legislation Enforcement Takedown

The menace actors behind the LockBit ransomware operation have resurfaced on the darkish internet utilizing new infrastructure, days after a world legislation enforcement train seized management of its servers.

To that finish, the infamous group has moved its information leak portal to a brand new .onion tackle on the TOR community, itemizing 12 new victims as of writing.

The administrator behind LockBit, in a prolonged follow-up message, mentioned a few of their web sites have been confiscated by almost certainly exploiting a important PHP flaw tracked as CVE-2023-3824, acknowledging that they did not replace PHP attributable to “private negligence and irresponsibility.”

“I understand that it could not have been this CVE, however one thing else like 0-day for PHP, however I can not be 100% positive, as a result of the model put in on my servers was already identified to have a identified vulnerability, so that is almost certainly how the victims’ admin and chat panel servers and the weblog server have been accessed,” they famous.

In addition they claimed the U.S. Federal Bureau of Investigation (FBI) “hacked” their infrastructure due to a ransomware assault on Fulton County in January and the “stolen paperwork include quite a lot of attention-grabbing issues and Donald Trump’s courtroom instances that might have an effect on the upcoming U.S. election.”

Along with calling for attacking the “.gov sector” extra usually, they said that the server from which the authorities obtained greater than 1,000 decryption keys held virtually 20,000 decryptors, most of which have been protected and accounted for about half of the full variety of decryptors generated since 2019.

The group additional went on so as to add that the nicknames of the associates have “nothing to do with their actual nicknames on boards and even nicknames in messengers.”

That is not all. The submit additionally tried to discredit legislation enforcement companies, claiming the true “Bassterlord” has not been recognized, and that the FBI actions are “aimed toward destroying the popularity of my associates program.”

“Why did it take 4 days to recuperate? As a result of I needed to edit the supply code for the newest model of PHP, as there was incompatibility,” they mentioned.

“I’ll cease being lazy and make it in order that completely each construct loker shall be with most safety, now there shall be no automated trial decrypt, all trial decrypts and the issuance of decryptors shall be made solely in guide mode. Thus within the doable subsequent assault, the FBI won’t be able to get a single decryptor at no cost.”

Russia Arrests Three SugarLocker Members

The event comes as Russian legislation enforcement officers have arrested three people, together with Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore, or JimJones), in reference to the SugarLocker ransomware group.

“The attackers labored below the guise of a professional IT agency Shtazi-IT, which presents companies for the event of touchdown pages, cellular purposes, scripts, parsers, and on-line shops,” Russian cybersecurity agency F.A.C.C.T. mentioned. “The corporate overtly posted advertisements for hiring new staff.”

The operators have additionally been accused of creating customized malware, creating phishing websites for on-line shops, and driving person visitors to fraudulent schemes standard in Russia and the Commonwealth of Impartial States (CIS) nations.

SugarLocker first appeared in early 2021 and later started to be supplied below the ransomware-as-a-service (RaaS) mannequin, leasing its malware to different companions below an associates program to breach targets and deploy the ransomware payload.

Almost three-fourths of the ransom proceeds go to the associates, a determine that jumps to 90% if the cost exceeds $5 million. The cybercrime gang’s hyperlinks to Shtazi-IT have been beforehand disclosed by Intel 471 final month.

The arrest of Ermakov is notable, because it comes within the wake of Australia, the U.Ok., and the U.S. imposing monetary sanctions in opposition to him for his alleged position within the 2022 ransomware assault in opposition to medical insurance supplier Medibank.

The ransomware assault, which came about in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized entry of roughly 9.7 million of its present and former prospects.

The stolen info included names, dates of start, Medicare numbers, and delicate medical info, together with information on psychological well being, sexual well being, and drug use. A few of these information additionally discovered their method to the darkish internet.

It additionally follows a report from information company TASS, which revealed {that a} 49-year-old Russian nationwide is ready to face trial on expenses of finishing up a cyber assault on technological management methods that left 38 settlements of the Vologda with out energy.

LockBit Saga — Timeline of Occasions