Less than a week after global law enforcement disrupted its operations in a coordinated seizure, the infamous ransomware gang, LockBit, has already issued promises of return, this time with an agenda.
In a lengthy note published on Saturday, the groupâs leader âLockBitSuppâ reassured affiliates that LockBit was once again operational on the dark web and that authorities could only hack into its servers because of LockBitSupp’s âpersonal negligence and irresponsibility.â
âI am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money,â LockBitSupp said in the note. âIt is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI.â
The note also added that the FBI decided to hack LockBit at the time it did because the group possessed some sensitive information stolen from the government records that threatened the upcoming US election.
Hacks affected only PHP servers
On Feb 19, global authorities conducted a coordinated takeover of a significant number of LockBitâs operations under the banner âOperation Cronos.â LockBitSupp said it was possible because of a flaw LockBit systems had and that he was aware of it, but was too âlazyâ to fix it in time.
The note said that two of LockBitâs servers had thrown a â502 Bad Gatewayâ error at 06:39 UTC on Feb 19 and that LockBitSupp was able to get the site to work by restarting PHP.
âI didn’t pay much attention to it, because for 5 years of swimming in money I became very lazy,â LockBitSupp said. âAt 20:47 I found that the site gives a new error 404 Not Found nginx, tried to enter the server through SSH and could not, the password did not fit, as it turned out later all the information on the disks was erased.â
The note further explained that the hacked servers ran PHP version 8.1.2, which is affected by a remote code execution (RCE) enabling flaw CVE-2023-3824, which possibly allowed the authorities to gain access to LockBitâs systems.
âThe version installed on my servers was already known to have a known vulnerability, so this is most likely how the victimsâ admin and chat panel servers and the blog server were accessed,â LockBitSupp added, pointing out that new LockBit servers are now running the latest version of PHP 8.3.3.
All other servers that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies, the note added.
LockBit to make some infrastructure adjustments
In the seizure, international law enforcement took over many of LockBitâs leak sites, 34 of its servers spanning those in the United States, the United Kingdom, the Netherlands, Germany, Finland, France, Switzerland, and Australia, 200 cryptocurrency accounts, and 14,400 rogue email accounts.
Additionally, the authorities had collected about 1000 decryption keys, which the note claims were obtained from âunprotected decryptors,â and represent merely 2.5% of the total number of decryptors LockBit issued within five years of its operations. Though bad, it is not fatal to its operations, LockBitSupp added.
âUnprotected decryptorsâ refer to the builds of the LockBit encryption malware that were made without the âmaximum decryptor protectionâ and were mostly used for smaller ransoms (up to $2,000) by its affiliates.
LockBitSupp acknowledged the source code compromise of its affiliate panel as the most valuable loss to LockBit as it carries a potential threat for future hacks. This is why, the note clarified, LockBit has decided to decentralize the panel with many servers for distributed access.
âNow the panel will be divided into many servers, for verified partners and for random people, up to 1 copy of the panel for 1 partner on a separate server, before there was one panel for everyone,â the note said.
Warnings of a targeted return
LockBit warns that it is going to focus upcoming operations on targeting government infrastructures, specifically the FBI. In the note, which was mostly addressed to the FBI, LockBitSupp discredited scores of FBI claims about the seizure including the indictment of two of LockBitâs partners.
âA couple of my partners were arrested, to be honest, I doubt that very much, they are probably just people who are laundering cryptocurrencies, maybe they were working for some mixers and exchangers with drops, thatâs why they were arrested and considered my partners,â LockBitSupp said.
Saying that the latest developments have just spurred the hacker on and that the hacker is now looking forward to challenging the authorities to hack the gang again, LockBitSupp noted that the law enforcement action was likely timed to stop LockBit from making public a few sensitive documents from the Fulton County.
âThe FBI decided to hack now for one reason only, because they didnât want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trumpâs court cases that could affect the upcoming US election,â LockBitSupp said. âIf it wasnât for the FBI attack, the documents would have been released the same day, because the negotiations stalled, the FBI really didnât like the public finding out the true reasons for the failure of all the systems of this city.â
LockBit3.0 has reportedly reappeared with a new .onion address on the dark web and has six victims with countdown timers, including a re-listing of Fulton County and a new entry for the FBI itself.
LockBitSuppâs long note comes a day after the FBI posted a âWho is LockBitSuppâ message on a seized site, hinting that law enforcement knows who and where LockBitSupp is.