Share this article on:
The world’s most prolific ransomware group, LockBit, is back after being taken down by the world’s leading law enforcement authorities in a joint sting called Operation Cronos earlier this month.
As reported by BleepingComputer, the group announced that it was back on Saturday (24 February) after it published a message saying it was negligent and that this allowed law enforcement agencies to gain access and take down its operation.
The group said an outdated PHP server was to blame, with the administrator saying that two main servers were breached “because for five years of swimming in money I became very lazy”.
“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” the administrator said.
The group has said it has since updated the server and will be rewarding anyone who discovers vulnerabilities.
It also said that it believes that the FBI targeted the gang after its attack on Fulton County, adding that it plans to increase its attacks on the US government to test if the FBI has the ability to take it down once again.
It said Fulton County likely drew the attention of the US government due to the risk of information regarding Donald Trump’s court case being leaked, which could influence the upcoming election.
Despite many speculating that the group would rebrand following the takedown, LockBit has kept its name and design language and has already claimed attacks on five victims, posting them to its new dark web leak site with countdown timers.
Responding to Operation Cronos’ claims that it had obtained decryptors, LockBit said that only keys from unprotected decryptors were seized and that the server contained almost 20,000 decryptors, which is only half of the 40,000 that have been generated during LockBit’s ongoing operations.
The group has defined these unprotected decryptors as lower versions of its encryption malware used by smaller, low-level affiliates that request smaller ransoms of $2,000 that did not have the “maximum decryption protection” feature installed.
The group has also said it will upgrade its infrastructure going forward for greater security and will only release decryptors manually. It will also host the affiliate panel on multiple servers, granting access to different copies to partners based on trust level.
“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced,” the group wrote.