The Lockbit Ransomware Group

Thoughts on Lockbit

The Lockbit ransomware group has been a major player in the ransomware landscape, touting over 2000 attacks since it was first observed in 2020. On the 19th of February, the homepage of the Lockbit group began displaying a message from federal agencies claiming they had seized the domain. This good news was followed by a press release on Justice.gov dated February 20th, 2024, detailing the seizure. It announced the availability of decryption keys for affected victims as well as indictments against Russian nationals.

In an interesting turn of events, the Lockbit site has since returned, and a post titled “FBI.gov” was released on the 26th of February. The post details intrusions on some of the Lockbit servers on the 19th of February. Misconfigured PHPservers, the Lockbit administrators’ suspected method of compromise on their systems, including the common vulnerability and exposure or CVE are described. They additionally warn those who might find themselves reading the PGP signed message to maintain stronger security postures on their own attack surfaces. The threat actor admitted laziness and complacency in their statement and speculated on political motives behind the domain seizures. The actor also claimed that a portion of the decryptors the FBI has secured will be unusable, among other accusations of false statements from the FBI.

Additionally, Lockbit included a vow to renew and increase the amount of attacks on .gov domains in retaliation, as well as a commitment to a stronger security posture within the Lockbit infrastructure. They went as far as to offer a bug bounty reward to the person who compromised their own servers. After boasting of their income and praising the seizure as an opportunity to focus and revitalize their competitive nature, they ended the open letter with a list of their servers that are still active, blog mirrors, and a commitment to continue to steal data.

As of March 1st, there are active count-downs for victim data to be published on their blog, with a promise for renewed vigor towards attacks on .gov domains. It is yet to be seen if this law enforcement operation can be truly called a success, or if they simply poked the proverbial bear and we will see Lockbit return with a vengeance.

AUTHOR

Amos Struthers

Amos is a member of the threat research team, dedicated to identifying and cultivating sources and actionable intelligence for Enzoic products. He enjoys learning about new attack vectors, exploits, and vulnerabilities, as well as those threat actors who are utilizing them in the wild. When not at work, Amos loves spending time with his family, cooking, lifting weights, and competing in various shooting sports.