The infamous LockBit ransomware operator is apparently back, with new encryptors, new infrastructure, and new data exfiltration and trading websites.
Earlier this week, cybersecurity researchers at Zscaler reported that new LockBit victims received a ransom note with a different Tor URL to follow next steps, with beepcomputer Two new encryption variants were also found uploaded to VirusTotal on two consecutive days, both with the new notes.
The post also confirmed that the LockBit trading server is up and running again, but it only works for new victims, those infected after Operation Cronos.
Affecting the elections
The news comes weeks after the UK's National Crime Agency (NCA), along with a team of international partners, breached the infrastructure of one of the world's largest ransomware operations. He managed to obtain decryptors, a lot of stolen data from different victims, as well as a list of almost 200 LockBit affiliates. To add insult to injury, the NCA also defaced the LockBit data breach site and left a message for its visitors ending with “Have a nice day.”
Shortly after the operation, the owners of LockBit stated that law enforcement broke into the servers thanks to a bug in PHP and because they were lazy after “swimming in money” for five years. They promised improvements to the infrastructure to make it more resilient and, in addition, they promised more attacks against government institutions, in retaliation.
They also claimed to have been targeted because of data they stole from Fulton County earlier this year. The data stolen there allegedly contains confidential information about the legal proceedings against Donald Trump that, if leaked, “could affect the upcoming US elections,” they said.
When the NCA first took down LockBit's infrastructure, it made no arrests. Without arrests, it was only a matter of time before the threat actors recovered.
