The notorious Russian-speaking ransomware syndicate, LockBit, has resurfaced with renewed audacity. In a brazen move, they re-established their dark web leak site, broadcasting a defiant message authored by none other than their enigmatic leader.
The Vulnerability That Unleashed Chaos
In a lengthy message, the leader of LockBit pointed a finger squarely at the FBI. Their weapon of choice? A vulnerability, cryptically labeled CVE-2023-3824, nestled within the web-scripting language PHP. Although, unconfirmed as the sole cause of the take-over. It’s believed that this is what allowed the Bureau to infiltrate LockBit’s servers, exposing the inner workings of their ransomware-as-a-service operation.
Why didn’t LockBit patch this gaping hole? The answer is as audacious as their crimes: “Because for five years of swimming in money, I became very lazy,” confessed the leader.
Backup Servers: A Missed Opportunity
Law enforcement’s assault was relentless, but not flawless. Backup servers, devoid of PHP installations, remained untouched. LockBit’s taunting revelation underscores their audacity and cunning. They scoff at the notion of defeat, even as the noose tightens.
The message from LockBit’s leader expressed defiance: “All FBI actions aim to tarnish my affiliate program’s reputation, demoralize me, and force me to quit. But they won’t find or eliminate me. As long as I’m alive, I’ll continue performing penetration tests with postpaid services.”
The FBI declined to comment on the recent developments.
International Law Enforcement Takes Action
On Monday, British, U.S., and European law enforcement executed the takeover of the LockBit website. This marked the beginning of a week filled with timed announcements, boasting the seizure of decryption keys, source code, and cryptocurrency wallets.
Following the dramatic takedown of the LockBit ransomware syndicate, Operation Cronos – a joint effort by international law enforcement agencies – has left the cybercriminal underworld buzzing. Here’s what we know:
The Elusive LockBitSupp
Authorities had tantalizingly hinted at revealing the identity of LockBit’s enigmatic leader, LockBitSupp, on Friday. However, they ultimately chose to keep the suspense alive. Their cryptic message on the seized leak site read: “We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with Law Enforcement :)”.
Yelisey Bohuslavskiy, chief research officer at RedSense, interpreted this statement as a veiled admission: “LockBitSupp is a Russian security apparatus implant since 2021.” The intrigue deepens.
LockBit’s Vulnerability
Regardless of LockBitSupp’s true identity, the ransomware group has suffered a significant blow. Allan Liska, principal intelligence analyst at Recorded Future, asserts that LockBit’s aura of invincibility has been shattered. Post-takedown, their actions appear more like posturing than genuine control.
Victims and Fallout
The reestablished leak site now features victim entries, presumably made just before Operation Cronos executed the takedown. Among them is Fulton County, Georgia, which LockBit previously targeted in a disruptive January attack on the county court and tax systems. County District Attorney Fani Willis is actively pursuing a case against former President Donald Trump and 18 codefendants for allegedly interfering with the 2020 presidential power transition.
Zero-Day Claims and Decryptors
LockBit’s message also alleges that the FBI may have exploited a PHP zero-day vulnerability. Curiously, they assert that only 1,000 of the 20,000 ransomware decryptors on the LockBit server were captured during the takedown. The operation, it seems, aimed to prevent the leak of documents stolen from Fulton County.
LockBitSupp’s Reputation
Jon DiMaggio, a ransomware tracker and chief security strategist at Analyst1, offers a candid assessment: “This dude is all about deflection. He likes to say stupid things.” While LockBit’s claim regarding the FBI’s use of a PHP flaw appears credible, DiMaggio advises taking other assertions “with a grain of salt.”
Despite LockBit’s comeback attempt, Operation Cronos remains a resounding success. Doubt and fear within the criminal underground regarding LockBit’s reliability and potential exposure to law enforcement will hinder a swift return to form. Affiliates have numerous other operations to explore.
DiMaggio concludes, “The FBI didn’t just take him down; they humiliated him. This impactful takedown will permanently affect his reputation and serve as a lasting embarrassment.”
