LockBit, a ransomware operation, has made a comeback within a week after the multinational law enforcement operation known as Operation Cronos, coordinated by Europol and involving ten countries including the United States and the United Kingdom, announced the successful dismantling of LockBit’s infrastructure on February 20. However, the developers of LockBit claimed on February 24 that they have resumed their operations, and evidence of five new victims was discovered on LockBit’s newly leaked data website by BleepingComputer.
As part of Operation Cronos, the law enforcement authorities took control of LockBit’s data leak website, shut down 34 servers located in various countries worldwide, froze over 200 cryptocurrency accounts associated with the criminal organization, gained control or deleted 14,000 rogue accounts involved in penetration or infrastructure-related activities, and arrested two suspects. It is estimated that LockBit has targeted over 2,000 victims, amassing ransom payments exceeding $120 million.
During that time, security research team vx-underground reported that LockBit’s developers claimed that law enforcement agencies exploited the CVE-2023-3824 security vulnerability in PHP to compromise their infrastructure.
The developers of LockBit provided their perspective on the incident, stating that two servers were subjected to penetration testing on February 19, which prevented them from accessing the servers. They admitted that it might be due to their negligence in promptly patching the CVE-2023-3824 vulnerability in PHP or potentially other zero-day vulnerabilities in PHP. The developers also issued a warning to their ransomware competitors, suggesting that their PHP servers might have also been compromised and urged them to patch and update all credentials promptly.
They emphasized that all other servers not utilizing PHP remained unaffected and would continue to be used for leaking data belonging to victimized enterprises.
The LockBit developers claimed that law enforcement agencies, including the FBI, exaggerated the success of Operation Cronos. For instance, they stated that the over 1,000 decryption keys obtained by the authorities accounted for only 2.5% of the total decryption keys, and they were low-level keys. Over the course of LockBit’s five-year operation, they claimed to have a total of around 40,000 decryption keys. The developers also asserted that the arrested suspects were not genuine partners but might be mixers or employees of trading platforms.
Furthermore, they listed dozens of backup blog domains that were not using PHP and had not been compromised by law enforcement agencies, along with the announcement of a new main domain. They explained that the four-day delay in the restoration process was primarily due to the need for re-editing the code of the latest version of PHP. They also denied allegations of not deleting confidential information of victims who had paid the ransom, accusing law enforcement agencies of deliberate falsehoods.
Image Source: tehtris