DoD Cyber Security Blogs Lock Bit Ransomware

With new encryptors and servers, LockBit ransomware resumes its attacks.

Following last week’s disruption by law enforcement, the LockBit ransomware gang is once more launching attacks using updated encryptors and ransom notes that link to new servers.

In response to the LockBit ransomware operation, the NCA, FBI, and Europol organized a coordinated disruption known as” Operation Cronos.”

In an embarrassing moment for LockBit, law enforcement turned the ransomware gang’s data leak site into a police press portal as part of this operation.

A press site created from a LockBit data leak site
A press site created from a LockBit data leak site
Source: BleepingComputer

Soon after, LockBit created a new data leak website and wrote to the FBI in a lengthy note claiming that law enforcement had used a PHP bug to breach their servers.

To stop law enforcement from carrying out operation-wide attacks and gaining access to decryptors, they promised to return instead of rebranding.

LockBit encryptors that have been updated for attacks

With new encryptors and an infrastructure set up for data leak and negotiation sites, LockBit appears to be launching attacks once more as of yesterday.

The ransomware gang updated their encryptor’s ransom notes with Tor URLs for the gang’s new infrastructure as first reported by&nbsp, Zscaler. Later, BleepingComputer discovered updated ransom notes in samples of the encryptors that were uploaded to VirusTotal yesterday [Sample ] and today [Sample ] ( shared by Malware HunterTeam ).

BleepingComputer also confirmed that only victims of new attacks can use the operation’s negotiation servers, which are still operational.

New websites for LockBit negotiations
New websites for LockBit negotiations
Source: BleepingComputer

Around 180 affiliates were working with the ransomware operation to carry out attacks at the time of LockBit’s takedown.

One has publicly criticized the Ransomware as a Service operation on X, but it’s not known how many are still using it.

However, LockBit claims that they are currently looking to add experienced pentesters to their operation, which will likely result in more attacks in the near future.

It’s unknown whether this is a grand plan for LockBit to gradually fade away and rebrand, as we saw with Conti. However, it’s safer to assume that LockBit will continue to be a threat for the time being.

Skip to content