Dive Brief:
- The LockBit ransomware group reestablished operations and a new dark web leak site Saturday, just days after a global law enforcement effort dismantled the group’s infrastructure. The FBI did not immediately respond to a request for comment.
- LockBit’s leader posted a lengthy message and began relisting alleged victim organizations hours after law enforcement shut down the group’s seized portal, according to multiple threat hunters’ observations. International law enforcement agencies turned LockBit’s former site into a parody and taunted the group prior to shutting the site down.
- “As for what we are seeing with LockBit right now, most, if not all, of the victims listed on the new site appear to have occurred before the takedown,” Allan Liska, threat intelligence analyst at Recorded Future, said Monday via email. “This means law enforcement likely can provide the victims with decryptors.”
Dive Insight:
The LockBit takedown was widely applauded and regarded as one of the most significant wins for law enforcement in the sprawling war against ransomware to date. Yet, ransomware groups often reemerge after law enforcement takedowns to continue their criminal activity, albeit in a diminished capacity.
The AlphV ransomware group reappeared on the dark web within hours of a law enforcement takedown in December, resulting in a back and forth tussle with law enforcement over control of its new leak site. AlphV remains active and continues to list new victims on its data leak site.
More than a dozen alleged victim organizations are listed on LockBit’s new site as of Monday, according to threat hunters.
“This doesn’t mean the disruption was a failure,” Brett Callow, threat analyst at Emsisoft, said Monday via email. “The fact is that LockBit, as a brand, is probably dead. It’s unlikely that anybody would trust an operation that was so completely compromised.”
The global takedown effort led to the arrest of multiple alleged LockBit affiliates. Authorities also seized about 11,000 domains and servers located around the globe, Brett Leatherman, deputy assistant director at the FBI’s Cyber Division, said last week in a statement.
LockBit’s leader is acting recklessly, underscoring the extent to which they are spooked by law enforcement’s actions, according to Liska. “Someone in a better position, would take a beat to fully assess the threat rather than immediately lash out,” Liska said.
Cybersecurity experts maintain the relaunch of LockBit is no surprise and the continued activity does not diminish law enforcement’s accomplishments.
“Bottom line: this was a very big win for the good guys. That said, this does highlight the challenges law enforcement face,” Callow said. “Some groups have cockroach-like resilience and permanently taking them out of action is far from easy.”
