The LockBit Ransomware group resurfaces after taking down law enforcement

LockBit Ransomware Group

The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise took control of the servers.

To this end, the infamous group has moved its data breach portal to a new .onion address on the TOR network, with twelve new victims at the time of writing.

The administrator behind LockBit, in a long follow-up postsaid that some of their websites have been seized by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, and acknowledges that they have not updated PHP due to “personal negligence and irresponsibility.”

“I realize it might not have been this CVE, but something else like 0-day for PHP, but I can’t be 100% sure because it was already known that the version installed on my servers was a known vulnerability, so this is most likely how the victims’ admin and chat panel servers and the blog server were accessed,” they noted.


They also claimed that the US Federal Bureau of Investigation (FBI) had ‘hacked’ their infrastructure due to a ransomware attack on Fulton County in January and that the ‘stolen documents contained many interesting things and could affect Donald Trump’s lawsuits on the upcoming US elections. .”

They also called for more frequent attacks on the “.gov sector”, while also stating that the server from which authorities obtained more than 1,000 decryption keys contained almost 20,000 decryptors, most of which were protected and about half of which total number of decryption keys. decryptors generated since 2019.

The group further added that the member companies’ nicknames “have nothing to do with their real nicknames on forums and even nicknames in messengers.”

That’s not all. The post also attempted to discredit law enforcement agencies, claiming that the real “Bassterlord” has not been identified, and that the FBI’s actions are “aimed at destroying the reputation of my affiliate program.”

“Why did it take four days to fix? Because I had to edit the source code for the latest version of PHP because there was incompatibility,” they said.

“I will stop being lazy and make sure that absolutely every build-loker gets maximum protection. Now there will be no more automatic trial decryption, all trial decryptions and the issuance of decryptors will take place only in manual mode. So in the possible circumstances At The next attack, the FBI won’t be able to get a single decryptor for free.”

Russia arrests three SugarLocker members

The development comes as Russian law enforcement officials have arrested three individuals, including Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore or JimJones), in connection with the SugarLocker ransomware group.

“The attackers worked under the guise of a legitimate IT company Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers and online stores,” said Russian cybersecurity company FACCT. said. “The company openly advertised hiring new employees.”

The operators have also been accused of developing custom malware, creating phishing sites for online stores and redirecting user traffic to fraudulent programs popular in Russia and the Commonwealth of Independent States (CIS) countries.

SugarLocker first appeared in early 2021 and later began to be offered under the ransomware-as-a-service (RaaS) model, where the malware is rented to other partners under an affiliate program to breach targets and deploy the ransomware payload.


Nearly three-quarters of the ransom proceeds go to affiliated companies, a figure that rises to 90% if the payment exceeds $5 million. The cybercrime gang’s ties to Shtazi-IT were previously revealed by Intel 471 last month.

Ermakov’s arrest is notable because it comes in the wake of Australia, Britain and the US imposing financial sanctions on him for his alleged role in the 2022 ransomware attack on health insurer Medibank.

The ransomware attack, which occurred in late October 2022 and was attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers and sensitive medical information, including mental health, sexual health and drug use data. Some of these records also found their way to the dark web.

It also follows from this that A report from news agency TASS, which revealed that a 49-year-old Russian will stand trial on charges of carrying out a cyber attack on technological control systems that left 38 settlements of the Vologda without power.

#LockBit #Ransomware #group #resurfaces #law #enforcement

Notify of
Inline Feedbacks
View all comments
Previous Post
Banking Trojan

Banking Trojans Target Latin America and Europe via Google Cloud Run

Next Post

Authorities allege that LockBit administrator “LockBitSupp” has engaged in law enforcement activities

Related Posts