The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, just days after an international law enforcement exercise took control of its servers.
To this end, the infamous group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of this writing.
The administrator behind LockBit, in a long follow-up messagestated that some of their websites were seized most likely exploiting a critical PHP flaw identified as CVE-2023-3824, acknowledging that they had not updated PHP due to “personal negligence and irresponsibility”.
“I realize it may not have been this CVE, but something else like 0-day for PHP, but I can’t be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this it is very likely that victims’ admin servers, chat panels and blog servers were accessed,” they noted.
They further claimed that the US Federal Bureau of Investigation (FBI) “hacked” their infrastructure due to a ransomware attack on Fulton County in January and that “the stolen documents contain many interesting things and Donald Trump’s court cases that could influence the upcoming US elections.” .”
They also called for attacking the “.gov sector” more often, also stating that the server from which authorities obtained more than 1,000 decryption keys contained nearly 20,000 decryptors, most of which were protected and accounted for about half the number total number of decryptors. decryptors generated since 2019.
The group further added that affiliates’ nicknames “have nothing to do with their real nicknames on forums or even nicknames in messengers.”
It’s not all. The post also attempted to discredit law enforcement, claiming that the real “Bassterlord” has not been identified and that the FBI’s actions are “aimed at destroying the reputation of my affiliate program.”
“Why did it take 4 days to restore? Because I had to change the source code for the latest version of PHP, since there was an incompatibility,” they said.
“I will stop being lazy and make sure that absolutely every build loker has maximum protection, now there will be no more automatic test decryption, all test decryptions and issuing decryptors will be done only in manual mode. So in the possible next attack, the FBI will not be able to get a single decryptor for free.”
Russia arrests three SugarLocker members
The development comes as Russian law enforcement arrested three people, including Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore or JimJones), in connection with the SugarLocker ransomware group.
“The attackers worked under the guise of a legitimate IT company, Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers and online stores,” Russian cybersecurity firm FACCT said. “The company has openly posted advertisements for hiring new employees.”
The operators have also been accused of developing custom malware, creating phishing sites for online stores, and directing user traffic to fraudulent schemes popular in Russia and Commonwealth of Independent States (CIS) nations.
SugarLocker first appeared in early 2021 and subsequently began to be offered under the ransomware-as-a-service (RaaS) model, renting its malware to other partners under an affiliate program to hack targets and distribute the ransomware payload.
Nearly three-quarters of the ransom proceeds go to affiliates, a figure that rises to 90% if the payout exceeds $5 million. The cybercrime group’s links to Shtazi-IT were previously revealed by Intel 471 last month.
Ermakov’s arrest is noteworthy, as it comes in the wake of financial sanctions imposed by Australia, the United Kingdom and the United States against him for his alleged role in the 2022 ransomware attack against health insurance company Medibank.
The ransomware attack, which occurred in late October 2022 and attributed to the now-defunct REvil ransomware team, led to the unauthorized access of approximately 9.7 million current and former customers.
The stolen information included names, dates of birth, Medicare numbers and sensitive medical information, including mental health, sexual health and drug use records. Some of these documents also ended up on the dark web.
It also follows a report from the TASS news agency, according to which a 49-year-old Russian citizen will be tried on charges of carrying out a cyber attack on technological control systems that left 38 settlements in Vologda without electricity.