Unsurprisingly, LockBit ransomware crew has returned

(Image credit: Shutterstock / binarydesign)

Less than a week after the British police and its international partners took down LockBit infrastructure, the infamous threat actor is back and ready to resume its nefarious operations.

According to BleepingComputer, the ransomware-as-a-service operator has set up a new .onion address, which not only lists five new victims and countdown timers for data leaks, but also a message for law enforcement.

The group reportedly created a mock-up FBI leak image explaining that the attack was successful not because the police did a great job, but because the group became complacent.

Protecting Donald Trump?

“Because for 5 years of swimming in money I became very lazy,” the notification reads. “Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.”

Previously, the operators said the NCA only took down servers running PHP, and that backup systems without PHP were not affected. They also added that the chat panels server and the blog server were running PHP 8.1.2, which were vulnerable to CVE-2023-3824, giving the NCA a window of opportunity to move in and disrupt the operation.

The operators also speculated that law enforcement attacked LockBit because the group obtained sensitive information on Donald Trump’s court cases during the attack on Fulton County in January this year. If leaked, the data “could affect the upcoming US election,” they said.

In retaliation, LockBit will attack “the .gov sector more often” and test its capability to fight back.

The NCA and its international partners recently announced they took down the LockBit website and its infrastructure, which included 34 servers hosting stolen information, decryptors, information on affiliates, and more.

However, as no arrests were made, it was clear that the group was bound to bounce back sooner or later.

More from TechRadar Pro

One of the biggest data leaks ever has just been revealed - here's what to do if you've been hit
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.