The infamous ransomware operator LockBit has apparently returned, with new encryptors, new infrastructure, and new data breach and negotiation websites.
Earlier this week, cybersecurity researchers at Zscaler reported that new LockBit victims received a ransom note with a different Tor URL for further steps, with BleepingComputer two new encryptor variants were also found and uploaded to VirusTotal in two consecutive days, both with the new annotations.
The publication also confirmed that LockBit’s negotiation server is up and running again, but only works for new victims, those infected after Operation Cronos.
Influencing elections
The news comes weeks after the UK’s National Crime Agency (NCA), along with a team of international partners, broke into the infrastructure of one of the largest ransomware operations in the world. It managed to obtain decryptors, stole a lot of data from various victims, as well as a list of almost 200 LockBit affiliates. To make matters worse, the NCA also defaced LockBit’s data breach site and left a message for visitors ending with “Have a nice day.”
Shortly after the operation, the owners of LockBit came forward and stated that the law enforcement officers had broken into the servers thanks to a bug in the PHP, and due to the fact that they were lazy after “swimming in money” for five years. They promised improvements to infrastructure to make it more resilient, and further promised more attacks on government institutions in retaliation.
They also claimed to have been targeted because of the data they stole from Fulton County earlier this year. The data stolen there reportedly contained sensitive information about the lawsuits against Donald Trump, which, if leaked, “could influence the upcoming US elections,” they said.
When the NCA first took down LockBit’s infrastructure, no arrests were made. Without arrests, it was only a matter of time before the threat actors bounced back.