The LockBit ransomware group is swinging back days after U.S. and UK law enforcement agencies announced they had disrupted the operations of the prolific cybercrime gang, including seizing infrastructure and public-facing websites, grabbing decryption keys, and indicting two alleged members.

LockBit operators reportedly are back up on new infrastructure and with a new .onion address on the TOR network that lists as many as a dozen new victims listed on its leak site. At the same time, the LockBit administrator, in a lengthy message, admitted that some of the group’s servers had been hacked by the FBI but that they were still in operation and threatened to retaliate by targeted U.S. government sites.

Operation Cronos was the latest of such efforts by the U.S. Justice Department (DOJ), FBI, and international law enforcement to fight back against the growing ransomware threat by infiltrating groups’ infrastructure, seizing servers and domains, and getting or developing decryption keys to enable victims to regain control of their encrypted data. Previous initiatives targeted such groups as Hive and BlackCat, also known as ALPHV.

The operation against LockBit targeted a ransomware-as-a-service (RaaS) group and its affiliates that the DOJ said were responsible for more than 2,000 attacks worldwide since January 2020, collecting more than $144 million in ransom payments. The DOJ also is offering rewards of  up to $10 million for information about the group’s leaders.

Administrator Admits to Laziness

The LockBit administrator in the message said FBI likely was able to take down some of the group’s servers by exploiting systems that were running unpatched versions of PHP and were vulnerable to the CVE-2023-3824 remote code execution (RCE) flaw, though they added it also could have been a zero-day bug.

Still, they admitted to being lazy, adding that due to “personal negligence and irresponsibility I relaxed and did not update PHP in time.”

They also warned that other ransomware groups running similarly unpatched servers may also have been compromised by law enforcement agencies.

Rebuilding Infrastructure and Reputation

Throughout the at-times rambling message, the administrator looked to bolster the group’s capabilities and reputation while downplaying the effect of the operation. The ransomware space is highly competitive, particularly as it evolves to a more RaaS model, with groups not only using its own malware but also licensing it out to affiliates, who run their own attacks with it and share the ill-gotten gains with the ransomware developers.

If one ransomware group goes down, affiliates can always find others to attach themselves to.

“All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped,” the administrator wrote.

The Fulton Country Attack

They also speculated that the law enforcement agencies targeted LockBit at this time because of the January attack on Fulton Country, Georgia, government offices. The county District Attorney’s Office is preparing to put former president Donald Trump and several other defendants on trial for fraud and other crimes allegedly committed after the 2020 election.

According to the message, “the stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election. … Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates.”

Cybersecurity expert Chris Krebs wrote that the law enforcement came just as LockBit was preparing to release data stolen from Fulton Country and that the group now says it will public the data March 2 if a ransom isn’t paid.

Law enforcement agencies often will infiltrate ransomware networks and collect information rather than announce their hacks, the administrator wrote. That means LockBit needs to ramp up its attacks U.S. government agencies to force the FBI to show how it had infiltrated the operation and allow the group to shore up weaknesses and vulnerabilities.

“By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not,” they wrote.

Making Adjustments

The administrator admitted that the FBI in its operation seized a database, web panel sources, locker stubs, and the decryption keys, although they added that the 1,000 claimed by the DOJ were a fraction of the almost 20,000 on the servers and that most were protected. That is half of the 40,000 or so that had been created since the LockBit ransomware hit the scene.

Among the changes the administrator claims they will make in the aftermath of Operation Cronos include ensuring there no longer will be automatic trial encryptions. Instead, all trial decryptions and the issuing of decryptors will be done manually.

In addition, the LockBit group will change how it operates its affiliate panels. The administrator said the more significant law enforcement threat coming out of the infiltration was to the source code of the affiliate panel, which at the time listed all affiliates. Instead, the panel will be spread among multiple servers.

“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced,” the administrator wrote.