HQ/EMEAFind out how we can help your business
Law enforcement agencies that are the members of Operation Cronos have reactivated the seized LockBit ransomware data leak site as a hint to publish new material on Tuesday.
On February 19, Operation Cronos shut down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data taken from victims, bitcoin addresses, 1,000 decryption keys, and an affiliate panel.
As part of this disruption, the authorities converted one of the data leak sites into a press release site, where the UK’s National Crime Agency (NCA), the FBI, and Europol published information about what they uncovered during their operation, a list of affiliates, and how LockBit deceives victims by not constantly deleting stolen data after a ransom is paid.
In addition, one of the notifications was named “Who is LockBitSupp?” implying that these agencies would reveal information about who the perpetrator of the ransomware attacks was.
However, the law enforcement agencies subsequently shut down the website a few days later, with many viewing the “LockBitSupp” article as a blunder by law enforcement for hyping the announcement while revealing essentially nothing. Hence, some researchers stated that the authorities’ misstep has allowed LockBitSupp to claim victory as it remained anonymous.
The Operation Cronos members have relaunched the LockBit press release and data leak site.
Earlier this week, law enforcement relaunched the LockBit data leak/press release site and revealed seven new blog articles going live simultaneously.
These blog entries tease names like “What have we learnt?” “More LB hackers exposed,” “What have we been doing?” and another blog post boasting “Who is LockBitSupp?” Still, everyone should wait and see if law enforcement will reveal anything significant about LockBit’s operator or if this will be another blunder on their part.
On the other hand, the LockBit operators have struggled to resume their standard activity since Operation Cronos, as its affiliates are concerned that the authorities have compromised their operation and are being spied on too closely.
This inactivity from the group does not mean that their operations are over since some of the group’s campaigns still execute disruptive attacks and remain a menace to every organisation globally.
