LockBit is back extorting victims on the dark web a week after a major international law enforcement taskforce knocked the prolific ransomware gang’s operations offline.
Despite authorities seizing servers, cryptocurrency and decryption keys in the raid, a weekend post purportedly from the gang’s leader claimed LockBit had retained access to its victims’ stolen data.
Among the files the threat group claims to have, and is threatening to release, are court documents stolen from Fulton County, Georgia, relating to the election subversion case against former U.S President Donald Trump.
As part of the multi-country Operation Cronos taskforce that took down LockBit, authorities seized a number of dark web sites run by the gang, including the leak site it used to post victim details and extortion demands.
Over the weekend a new dark web LockBit leak site appeared, with a victim list that included Fulton County and the FBI.
There is no evidence to suggest LockBit had actually hacked the FBI, but the listing included a rambling 2800-word post claiming to be written by the gang’s leader, “LockBitSupp”.
‘Lazy’ LockBit boss takes the blame
In the post, LockBitSupp asserted the threat group would intensify its focus on targeting government agencies in the wake of the takedown operation.
“What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger,” LockBitSupp wrote.
The writer said after “5 years of swimming in money I became very lazy” to the point of overlooking a PHP vulnerability in the gang’s web infrastructure that authorities were able to exploit to gain control of its servers.
“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time … as a result of which access was gained to the two main servers where this version of PHP was installed.”
Threat to release Trump files
While authorities said Operation Cronos was months in the planning, LockBitSupp claimed law enforcement moved on the gang just days before its Fulton County ransom deadline expired because they did not want the court documents to be leaked.
“The FBI decided to hack now for one reason only, because they didn’t want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”
A small sample of stolen files from the court that were previously published by the gang suggest a larger leak could have potentially dangerous and disruptive consequences related to a number of other cases. However, LockBit has yet to provide any evidence it is in possession of material related to the case Trump is facing in Fulton County.
According to the gang’s new leak site, Fulton County’s deadline to pay a ransom is March 2. The county’s Commission Chairman, Robb Pitts, previously said a ransom would not be paid.
Who is LockBitSupp?
Last week authorities posted a message on one of the gang’s websites they had taken over – “Who is LockBitSupp?” – suggesting they would reveal the gang leader’s identity when a countdown timer on the site expired on Feb. 23.
But observers were left disappointed when the only details revealed were that the person did not live in the U.S. or the Netherlands, and drove a Mercedes rather than a Lamborghini.
The announcement from the Operation Cronos team stated: “We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement.”
Cybersecurity journalist Brian Krebs contacted a person believed to be LockbitSupp on the Tox instant messaging platform and asked if they thought the FBI new their identity.
“I’m not sure the FBI doesn’t know who I am,” LockbitSupp told Krebbs. “I just believe they will never find me.”
