Lockbit States Reasons for Operation Disruption, Cites Donald Trump Case as One

Lockbit cited “personal negligence and irresponsibility, the threat actor admits to laxity in updating PHP promptly.” It revealed that the victim’s admin and chat panel servers, as well as the blog server, were running PHP 8.1.2. As a result, the law enforcement agencies exploited it using CVE-2023-3824 critical vulnerability.

LockBit indicates that they have updated the PHP server and have pledged to reward individuals identifying vulnerabilities in the latest version.

In speculating about the motives behind the FBI’s intrusion into their infrastructure, the cybercriminals point to the ransomware attack on Fulton County in January, posing the risk of divulging sensitive information about “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

Consequently, LockBit asserts that by targeting the “.gov sector more frequently,” they will compel the FBI to demonstrate their capability to counter the syndicate’s activities.

The syndicate claims that law enforcement obtained a database, web panel sources, locker stubs inaccurately labelled as sources, and a small portion of unprotected decryptors.

Lockbit Resume Operations

The LockBit syndicate is reinitiating its ransomware activities on fresh infrastructure less than a week after law enforcement compromised its servers, and is issuing threats to intensify its targeting of the government sector.

In a communication camouflaged as an FBI leak, the syndicate disseminated an extensive message acknowledging the lapses that facilitated the breach and outlining its future operational strategies.

On February 19, authorities dismantled LockBit’s infrastructure, which encompassed 34 servers hosting the data leak website and its mirrors, stolen data from victims, cryptocurrency addresses, decryption keys, and the affiliate dashboard.

Merely five days later, LockBit resurfaces and discloses details about the breach and its plans to fortify its operations to render its infrastructure more resilient to hacks. Immediately following the takedown, the syndicate admitted the breach, stating it only lost servers servers running PHP, while backup systems devoid of PHP remained unscathed.

On Saturday, LockBit declared the resumption of its ransomware operations and issued a damage control message, acknowledging “personal negligence and irresponsibility” as the causes for law enforcement’s disruption of their activities in Operation Cronos.

Maintaining the brand’s identity, the syndicate relocated its data leak site to a new .onion address, featuring five victims with countdown timers indicating when stolen information will be disclosed.

Several organizations listed on LockBit’s “leaked data” page were victims of previous attacks.