THE RETURN OF LOCKBIT! - 15/05/2024 I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback of LockBit Group and their approach after Operation Cronos and does NOT attribute to the Identity of LockBitSupp. Moreover, it is a collection of events in the LOCKBIT Series observed that had gone unnoticed. 1. INTRODUCTION 2. THE COMEBACK 3. VICTIMIZATION 4. LOCKBIT INFRASTRUCTURE HUNT 5. LOCKBIT MOVING TO TORRENT FILE SHARES 6. VICTIM CASE STUDY: CRINETICS 7. LOCKBIT LEAK HOSTING 8. UNRELATED LOCKBIT DOMAIN 9. LOCKBIT IMITATORS AROUND 10. LOCKBIT AFFILIATE? 11. REALITY CHECK? 12. LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH 13. OPERATION CRONOS: PART 2 14. LOCKBIT TOX STATUS UPDATES 15. CONCLUSION 16. IOC INTRODUCTION - After the ban of LockBit on forums like XSS or Exploit and Law Enforcement Infiltration of LockBit via Operation Cronos, it is evident that the group had lost a few of their internal files such as Negotiation Panel, Affiliated Member List, Victim Database, Chats and Decryption Keys got exposed to the public and their well-built reputation got a taint. Initially, on their comeback, LockBit had published past leaks (before Operation Cronos). But the same had been criticized in the infosec community about the re-use of old leaks, the Group had withdrawn it and came back with a fresh batch of victims. This article is purely going to focus on the 2nd reign of LOCKBIT! THE COMEBACK - After OPERATION CRONOS Part 1, it took about a week for LockBit to resurface with their all mirror servers back online with listing new victims on their Data Leak Site (DLS). All the victims are given an average of 29-Day negotiation time frame before leaking the entire data on the LockBit leak servers to the public. Currently, the victim list is clocked at 200+ (Post Operation Cronos) which signifies their strong presence in the Corporate Ransomware Scenario. NOTE: Operation Cronos had made a greater impact to cripple LockBit. But the group goes strong defending all the drawbacks. VICTIMIZATION - LockBit started to victimize more often, even including reputed targets such as the US Government wing DSIB — The Government of the District of Columbia Department of Insurance, Securities and Banking (DISB) regulates financial-service businesses, Polycab, OracleCMS, Nampak, Crinetics, etc. However, it is found that the victim’s data appears lately on their site, unlike it was a regular upload feature before Operation Cronos. In some cases (such as Polycab, Krueth and CasaJove); the leaks are not yet listed even after the deadline, which is suspicious. This could be due to the loss of data from LockBit at the time of Operation Cronos OR the victims might have paid the ransom. While checking the Victim Geography, we can see that the US tops the list; followed by the UK, Germany, Canada, India, and France. NOTE: While analyzing the data, it was found that LockBit had listed 235 Victims (ATTOW) after Operation Cronos Part 1 & 2. For info, you may contact me. LOCKBIT INFRASTRUCTURE HUNT - During the analysis, it was found that LockBit maintains a stable server to host large leaks on a new Onion Domain: - lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion This leak site is running on nginx/1.25.4; which is the latest version of NGINX (ATTOW) as promised by LockBit to avoid any unpatched versions after Operation Cronos Part — 1. Their main DLS is the following which is running on nginx/1.24.0 lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion During my research, LockBit’s original IP got exposed. By digging further, we can extrapolate the following details: - IP: 5.182.5.126 - ASN: 49505 - Location: Russia - Server: NGINX NOTE: The same IP has a historic connection with a domain: waralbum.ru which was associated with BuhTrap Banking Trojan in 2016 Old LockBit Servers (now controlled by Europol or Operation Cronos) were using Apache/2.4.57 (Debian). The LockBit group had moved to the NGINX server with the newest stable Onion Domains. LOCKBIT MOVING TO TORRENT FILE SHARES - On March 9, 2024 LockBit Operators made 18 Vanity Onion Domains online listing about 710+ Clients, along with Torrent Files to make downloading easier. NOTE: All the Onion Domains are listed at the end of the article in the IOC Section In mid-November 2023: Lockbit decided to make Torrent files for all of its victims for easier accessibility. All victim’s data (Torrent Version) packaged and assigned a 5-Char name instead of a company name such as I85F5, 7E6EE, V4DV5, LIHD9, PLPT7 etc. While digging further, it is also observed that a file tree for each victim is also being created on the same day i.e. 9th March 2024. All the torrent trackers of LockBit leaks are connected to: - http://3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion:6969 Torrenting of Leaks is not a new approach as Clop Ransomware Gang had already used it earlier, back in September 2023. This helps them to club the traffic with the public and the leaked file will stay longer as it’s been shared in a decentralized fashion. VICTIM CASE STUDY: CRINETICS - Crinetics is being listed by LockBit as the work of a shadow group or an affiliate whose data is not being claimed directly by LockBit. On 20th March, as an Update; the group had listed 8 screenshots of the negotiation taking place between LockBit and Victim. The demand was: $4M; but the client could pay up to $1.8M. On April 2, as the negotiation did not turn up fruitful, the group extended its leak date to 7th April, 2024, along with an explanation stating that LockBit had terminated the communication with the victim who had provided the information to Recorded Future, which failed the instructions provided by LockBit. Finally, LockBit affiliate closed this chapter on April 11, 2024 by increasing the ransom for Information Destruction and Data Download to $7M. The BTC Wallets demanded for Crinetics are below mentioned: - BTC: bc1qdtawyte5qtxgrk6far90tpeh9atfvyqgv5rcxs - XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff NOTE: It is observed that the Chat Transcript of this client is purposefully put by LockBit on its Shame Page and the same is not observed for any other victims. Either this could be a warning message for the public to prove that the Negotiation takes place in Millions OR this act might not be carried out directly by LockBit but the work of an affiliate. LOCKBIT LEAK HOSTING - The newly released data of victims (post Europol Episode) are initially hosted in Mega, instead of dedicated LockBit Data Servers as it takes more operational time to upload the databases to LockBit servers. And later moved to their dedicated LockBit servers: - lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion - lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion (Downloads get pulled from here) UNRELATED LOCKBIT DOMAIN - While analyzing the data leaks, there is a peculiarity found in the case of Pronat Industries, whose data is not hosted on regular LockBit platform: - bu27ucccflf4bkwssunbtvf6lflhp6ydvbqoxduf62ywzmpmv24wcgid.onion It’s not a vanity TOR Domain unlike other URLs. It can be assumed that this could be a non-LockBit affiliate or there could be a storage issue, as LockBit (or affiliates) decided to store it in a separate Onion Domain, unrelated to LockBit. For this client, they have given BTC and XMR Addresses similar to Crinetics, however the BTC Addresses are different, but XMR remains the same: - BTC: bc1qjwquf4n0j6tc55wg9zymkas2ue484ddxtl70wv - XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff A new pattern was found for the well-known targets where LockBit extends their Leak Period from 5 Days to an additional 10 days, hence delaying the leak. LOCKBIT IMITATORS AROUND - It is found that there are various scammers around the cyber corners on various sources such as Telegram Channels, Discord Servers etc. Even sometimes, we can see Ransom Note imitating the LockBit style of attacks. NOTE: Here, you can see that the imitator had used genuine LockBit URLs and TOX ID to show the genuinity of LockBit. But when it comes to the XMPP, the same ID is present in CryptBB Ransomware which dates back to November 2022. Many noobs got hold of the leaked build of LockBit and weaponized it to random targets, searching to hit a jackpot. The intended targets may misidentify them as legitimate LockBit and hence may end up paying them. Here is another chat transcript with a fake LockBitSupp on the Telegram Platform where he charges $500 as a joining fee to a private group. In another scenario, the victim companies that are leaked by LockBit are being re-surfaced by other groups such as “Dispossessor” by listing the same LockBit victims. Here you can see the screenshot of the same from their website. By observing their victim list, it is found that the group had listed 80% of clients from LockBit and also listed a few victims from 3AM and 8Base as well. NOTE: This act indicates that there are groups who regularly download the leaks and list them after a while by launching a new website. NOTE 2: If you want to read LockBit Imitators exclusively, I have already made a Research Article a couple of months back. You can check it out here. LOCKBIT AFFILIATE? - While checking for the LockBit Affiliates on the Dark Web, it was found that a Russian member named “Hexonium” on a deep web forum claimed to be an affiliate of LockBit by providing the genuine Onion Domain of LockBit. While checking the Forum activity and URL used, we can see that this member has been active since December 2023. While navigating through the posts, we can see. Hexonium does not initiate/start any thread in the community and all (S)he does is interact with the breaches by posting “nigger” as a common term in all posts. Hence we cannot rely on Hexonium as a genuine affiliate as we have seen many skids use LockBit aura to radiate the fear among the victims; especially when LockBit Black got leaked in September 2022. NOTE: Hexonium is the name given to an In-Game Cryptocurrency, a project from Cardano. The image used by the forum user also signals the strong liking of Cardano platform by the user. REALITY CHECK? - Here is the direct interaction with the LockBitSupp where he denies any involvement in other channels. LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH It is found that the group is delaying its leak from the already-set timer. This does not apply to all listed victims, however observed for a few. Polycab is one such example where the initial leak date was April 5 but again got extended to April 22, 2024. Once the timer is set off, the data is not yet listed (ATTOW). It could have been lost during 1st batch of Operation Cronos Campaign. Another well-known corp from India “RJCorp” is scheduled to release on April 15th, which is missing from the current list. There are 2 possibilities for this. Either the party had paid the ransom and their name got removed from the Data Leak Site OR It might be an empty threat of LockBit to inflate their victim count. OPERATION CRONOS: PART 2 - On the first week of May 2024, Europol posted the following update on the previously compromised website of LockBit: - lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion According to the post, the identity of LockBitSupp and other LockBit affiliates was revealed on May 7, 14:00 UTC. As per the revelation, the identity of LockBitSupp is traced to a Russian National named “Dmitry Yuryevich Khoroshev”. Following are the events that were observed after the LockBit Identity Reveal:- Soon after this disclosure, many security researchers began to scoop up the details of the alleged member using email addresses and phone numbers shared. 1 Hour after the Identity Reveal, LockBitSupp came up with the following status :- The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins ))) 3) After this status update, many in the industry started to co-relate this as a defensive approach of Khoroshev to unproven himself. This may be true, but we never know at this moment. 4) The following day, on May 9th -> LockBit had added 77 new victims to their DLS domain. Some of the victims were re-appeared in the new batch. This could be to inflate the number of victims, hence delivering an overall impression of the high-number of single-batch infections. 5) LockBit also added a new message on DLS titled “contest.omg” where he challenged the community to communicate with Dmitry and provide evidence through their new portal. 6) The old sites (that are controlled by Feds) are being shut down now (which were active for 4 days). LOCKBIT TOX STATUS UPDATES - Here are the important STATUS-UPDATES of LockBitSupp. Captured at different intervals:- все на шашлындос Everything is on the Barbeque ФБР блефует, я не Демон, мне жаль настоящего Демона))) о, и он получит пизды за мои грехи))) The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins ))) Придумайте как доказать, что я не Демон? Как показать всему миру что ФБР ошиблись или специально подставили Демона? Can you figure out how to prove that I'm not a Demon? How can we show the whole world that the FBI made a mistake or deliberately framed a Demon? участвуем в конкурсе, условия в блоге We particiapte in the competition, conditions in the blog CONCLUSION When it comes to Takedowns: It is not as effective as claimed. As RaaS is a profitable business, this trend will continue. The arrest of a group paves the way for the comeback/birth of the next group with a more defensive approach. In this case, it is not yet clear how Europol landed on Khoroshev. In short, no substantial evidence had been provided to establish an active link between Khoroshev and LockBit, but assumption of similar timelines. At the same time, due to the secrecy of the operation, we can’t assure that Dmitry is NOT LockBitSupp. We have to wait for a bit longer to unveil the truth as LockBitSupp has announced that it’s no more about money for them, but the victim count. NOTE: This is a developing story and you can see the updates once I get it. IOC - TOR DOMAINS - =========== - lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion - lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion - lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion - lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion - lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion - lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion - lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion - lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion - lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion - lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion - lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion - lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion - lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion - lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion - lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion - lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion - lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion - lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion - lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion - lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion - lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion - lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion - lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion - lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion - lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion - lockbitfilzhrvt6eya2lvnp7te4iifzmwybendqclgujqbzu3k4gaid.onion - lockbitfilzu5e62fybhieutf6653cpv6wco7twgjtkqwdgubn4q5rad.onion - lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion - lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion - 3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion Old LockBit TOR Domains - ======================= - lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion - lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion - lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion - lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion - lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion - lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion - lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion - lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion - lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion - lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion BTC Wallets - =========== - bc1qdtawyte5qtxgrk6far90tpeh9atfvyqgv5rcxs - bc1qjwquf4n0j6tc55wg9zymkas2ue484ddxtl70wv - XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff - IP: 5.182.5.126 - TOX: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 EXTRA READING - If you are an avid reader of LockBit Story, here you can read few resources which I personally liked: - https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/ - https://analyst1.com/ransomware-diaries-volume-5-unmasking-lockbit-2/ - https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit