Among the most subtle but at the same time effective cyber threats (at least from the point of view of malware-writer) there definitely is LockBit. It is a ransomware designed to encrypt files on the compromised system and demand ransom in exchange for the decryption key.
LockBit has “invested” in the model Ransomware-as-a-Service
The authors of LockBit are known for having actually promoted the diffusion of the RaaS model (Ransomware-as-a-Service): The creators of the ransomware provide their malware as a service to third parties, allowing other cyber criminals, known as “affiliates” or “partners”, to use the malicious code to conduct attacks anyway. The RaaS model has transformed the ransomware phenomenon into a commercial service, sharing profits between the creators of the malware and the affiliates who distribute it.
We described at the time, in detail, how LockBit works, focusing on the danni caused over the years to many companies and professionals all over the world.
The .onion domains used by LockBit under police control
Following an operation which saw the coordination of the police authorities of 11 countries, the agents of the government bodies involved declare today that they have finally assumed the LockBit controlneutralizing the platform used up to now.
A website .onion, accessible through the Tor Browser, until yesterday served as a vast archive for the data acquired by the LockBit ransomware on the victims’ systems. Yes, because in case of failure to pay the ransom in money, LockBit threatened to publish the data of the targeted companies. Often it was confidential information and, in some cases, even industrial secrets.
The new thing is that trying to visit the domain .onionhistorically used by LockBit, a page informs that it is now under the control of National Crime Agency of the United Kingdom, as part of the “Operation Cronos“.
How the servers used by LockBit were hacked
The “top brass” of the organization behind LockBit are known online as LockBitSupp and communicate via the Tox messaging service. A message confirms that the police force has hacked the servers of the ransomware developers by exploiting a exploit left incorrect within local installations of PHP.
Tox is an open source project that aims to provide a secure and decentralized communication platform. The main goal is to offer a secure and private alternative to other centralized instant messaging platforms. The intrinsic characteristics of protection of theanonymity they were chosen by the developers and managers of LockBit to avoid being tracked and subjected to judicial measures.
The authorities have acquired the affiliation panel and the data raided by the ransomware
Police technicians removed the affiliate panel of LockBit and added a message informing that the source code, chats and information on the ransomware victims were also seized. “We have the source code, details of the victims attacked, the amount of money extorted, the stolen data, the chats and much, much more“, reads the message displayed on the LockBit panel.
The few lines left by the FBI, Europol and the National Crime Agency of the United Kingdom also aim to scare LockBit’s “customers”, i.e. all those who up to now have used the RaaS model to in turn attack a large number of companies and profit from it. “You can thank Lockbitsupp and their broken infrastructure for this situation… we may be in touch with you very soon“, it is read.
LockBit numbers and the existence of backup servers
US cybersecurity authorities and other international partners said in June 2023 that the LockBit group extorted at least 91 million dollars (from 2020 alone) to US organizations following as many as 1,700.
LockBitSupp confirms that the attack by the police exploited some flaws in PHP but specifies that it still has all the content raided over many years available within a battery of the server is backed up.