The LockBit ransomware gang is attempting a comeback days after its operations were severely disrupted by a coordinated international crackdown.
The Russia-based group has set up a new site on the dark web to advertise a small number of alleged victims and leak stolen data, as well as releasing a rambling statement explaining how it had been hobbled by the UK’s National Crime Agency, the FBI, Europol and other police agencies in an operation last week
The group said law enforcement had hacked its former dark web site using a vulnerability in the PHP programming language, which is widely used to build websites.
“All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” said the statement, which was published in English and Russian.
The statement also referred to “my personal negligence and irresponsibility”, declared an intention to vote for Donald Trump in the US presidential election and offered a job to whoever hacked LockBit’s main site.
LockBitSupp, the group’s administrator and presumed author of the statement, does not live in the US, according to law enforcement. The agencies involved in the LockBit operation have also added that “LockBitSupp has engaged with law enforcement”.
In a statement, the NCA said LockBit remains “completely compromised”. A spokesperson said: “We recognised LockBit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues.”
LockBit works under a ransomware-as-a-service model, where it leases out its software to criminal affiliates in exchange for a cut of any ransomware payments.
Pilling said LockBit would have to convince affiliates to use its services despite the public relations hit from the international law enforcement operation.
“There will be a knock to their reputation within the criminal community as a result of the NCA-led action,” he said.
Ransomware attacks typically involve hackers entering a target’s computer system and paralysing it with malware, which encrypts files and makes them inaccessible.
A new trend in attacks involves assailants extracting data from the IT system, such as staff or customer details. The gang then asks for payment in cryptocurrency, usually bitcoin, to unlock the files or to delete their copy of the stolen data. Ransomware victims last year paid out a record $1.1bn (£870m) to assailants.