LockBit ransomware officially returns — hackers hit back with new attacks following apparent shutdown

ID theft
Image credit: Pixabay (Image credit: Future)

Infamous ransomware operator LockBit has apparently returned, boasting new encryptors, new infrastructure, and new data leak and negotiation websites.

Earlier this week, cybersecurity researchers from Zscaler reported that new LockBit victims received a ransom note with a different Tor URL for further steps, with BleepingComputer also finding two new encryptor variants uploaded to VirusTotal in two consecutive days, both holding the new notes.

The publication also confirmed that LockBit’s negotiation server is up and running again, but works only for new victims, the ones infected after Operation Cronos. 

Affecting the elections

The news comes weeks after the UK’s National Crime Agency (NCA), together with a team of international partners, broke into the infrastructure of one of the largest ransomware operations in the world. It managed to obtain decryptors, plenty of data stolen from different victims, as well as a list of almost 200 LockBit affiliates. To add insult to injury, the NCA also defaced LockBit’s data leak site and left a message to its visitors, ending with “Have a nice day.”

Soon after the operation, LockBit’s owners came forward to state that the law enforcement broke into the servers thanks to a bug in the PHP, and due to the fact that they were lazy after “swimming in money” for five years. They promised improvements to the infrastructure to make it more resilient, and further promised more attacks against government institutions, in retaliation.

They also claimed to have been a target because of the data they stole from Fulton County earlier this year. Allegedly, the data stolen there contains sensitive information regarding the court cases against Donald Trump which, if leaked, “could affect the upcoming US election,” they said.

When the NCA first took down LockBit’s infrastructure, it made no arrests. Without detainments, it was only a matter of time before the threat actors bounced back.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.