LockBit Ransomware Group Active Again After Law Enforcement Takedown
What’s Happening & Why This Matters
After international law enforcement took down its servers, the LockBit ransomware operation is back, having moved its data leak portal to a new .onion address on the TOR network and listing 12 new victims. The group claims that its websites were confiscated due to a PHP flaw and that the FBI hacked their infrastructure. They are calling for attacks on the “.gov sector” and are modifying their decryption process to prevent law enforcement from obtaining decryptors.
Russia Arrests Three SugarLocker Members
Russian law enforcement arrested three individuals, including Aleksandr Nenadkevichite Ermakov, in connection with the SugarLocker ransomware group. The attackers posed as a legitimate IT firm offering services while developing malware and creating fraudulent schemes to generate traffic. SugarLocker, which started in 2021 and later switched to the ransomware-as-a-service (RaaS) model, has been linked to the now-defunct REvil ransomware crew.
The arrested member, Ermakov, was targeted in financial sanctions by the U.K., Australia, and the U.S., following his alleged role in the 2022 ransomware attack against health insurance provider Medibank.
LockBit Saga – Timeline
- 20 Feb 2024
- Authorities Seize Darknet Domains linked to LockBit ransomware
- 21 Feb 2024
- UK’s National Crime Agency (NCA) shuts down LockBit ransomware and arrests 2 members, releasing a decryption tool
- 22 Feb 2024
- The US State Department offers a $15 million reward for information on LockBit ransomware leaders
- 25 Feb 2024
- The individual(s) behind LockBit ransomware engagement with law enforcement
- 26 Feb 2024
- The LockBit ransomware group resurfaces after the law enforcement takedown