LockBit ransomware [1] [2] [3] [4] [5] [6], a Russia-based group [5], has re-launched its leak site on the dark web less than a week after being taken down by British police and international partners [1].


The group has set up new .onion domains and listed five new victims, including ICBC Financial Services [2], CDW [2], and Taiwan Semiconductor Manufacturing Company [2], along with countdown timers for data leaks [1]. LockBit blamed law enforcement for the takedown but admitted negligence in their own complacency. The group also created a mock-up FBI leak image to suggest that the attack was successful due to their own actions rather than police efforts [1]. LockBit’s leader [3] [4], known as “Alex,” offered a job to whoever hacked their main site and claimed that other servers with backup blogs remain unaffected. Despite facing reputational damage from the crackdown [6], LockBit is attempting to rebuild its operations and convince criminal affiliates to continue using its ransomware-as-a-service model [6]. The Operation Cronos Taskforce seized infrastructure [4], data [1] [4], and decryption keys [3] [4], arrested individuals [4], and froze over 200 cryptocurrency accounts linked to LockBit in the recent law enforcement operation. LockBit’s leader attributed the breach to a PHP bug and claimed that unaffected servers would continue to leak stolen data [4]. The ransomware leader admitted negligence for the disruption but claimed that backup systems remained intact, allowing for a quick recovery [4]. LockBit has threatened to target the government sector in retaliation for the law enforcement actions [5]. Despite claims of a significant takedown [5], law enforcement efforts have not completely dismantled LockBit [5], with the administrator still active [5]. The NCA and US law enforcement agencies are offering rewards for information on key members of the group [5]. The leak site was back up with victims including a lending platform [4], dentistry labs network [4], and Fulton County [4], Georgia [4]. Affiliates of LockBit have been named publicly [2], adding pressure to the group [2], and two LockBit actors have been arrested in Poland and Ukraine [2]. While law enforcement actions may not completely eradicate ransomware groups [4], they can still cause significant harm by disrupting operations and creating distrust among affiliates [4]. To combat ransomware effectively [4], governments may need to implement comprehensive prevention [4], response [3] [4], and repair programs [4]. Ransomware attacks typically involve encrypting files and demanding payment in cryptocurrency to unlock them [6], with victims paying out a record $1.1bn last year [6]. LockBit recently restored its servers with new .onion domains and blamed the FBI for the takedown [3], claiming the bureau hacked them due to sensitive information about former US President Donald Trump [3]. The FBI spokesperson stated their focus was on offering decryption keys to victims and disrupting LockBit’s operations [3]. Emsisoft threat analyst Brett Callow noted the challenges of permanently ending a ransomware operation [3], while Sophos director of threat intelligence Christopher Budd warned of the ongoing threat posed by malware developed by groups like LockBit [3].


The impact of ransomware attacks, such as those carried out by LockBit, can be devastating, with significant financial losses and disruptions to businesses and organizations. Mitigating these threats requires a coordinated effort from law enforcement agencies, cybersecurity experts, and governments to prevent future attacks and hold perpetrators accountable. The ongoing threat posed by ransomware groups underscores the need for continued vigilance and proactive measures to protect against cyber threats in the future.


[1] https://www.techradar.com/pro/security/unsurprisingly-lockbit-ransomware-crew-has-returned
[2] https://www.informationweek.com/cyber-resilience/international-operation-hits-major-ransomware-player-lockbit-
[3] https://www.techtarget.com/searchSecurity/news/366571377/LockBit-restores-servers-following-law-enforcement-takedown
[4] https://www.darkreading.com/threat-intelligence/lockbit-leak-site-reemerges-week-after-complete-compromise-
[5] https://techcrunch.com/2024/02/26/lockbit-ransomware-takedown-now-what/
[6] https://www.theguardian.com/technology/2024/feb/26/russian-based-lockbit-ransomware-hackers-attempt-comeback?ref=biztoc.com