LockBit back online, already targeting hospitals with ransomware

LockBit, the infamous ransomware-as-a-service cybercrime gang, is back online just days after a global police bust claimed to have decimated the group’s infrastructure. Wasting no time, LockBit has already named its first victim, the US network of specialty hospitals, Ernest Health.

The group claimed to have restored its servers over the weekend just days after a massive international law enforcement takedown of the gang named Operation Cronos.

Thirty-four of the gang’s servers and over 200 cryptocurrency accounts linked to the criminal organization were said to have been seized in the February 19th bust.

“LockBit has restored their servers (new Tor domains) and is planning on making a statement to the FBI regarding last week's takedown,” malware repository vx-underground first reported on February 24th.

The global operation, led by the UK National Crime Agency, was considered a triumph over the gang, and even though LockBit claims to have resurrected, a spokesperson for the NCA, said the group "remains completely compromised."

"We recognized that LockBit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated with them, and our work to target and disrupt them continues," the NCA said on Monday.

LockBit takedown
LockBit seizure, Operation Cronos screenshot. Image by Reuters.

The operation culminated with the US arrest of two Russian nationals, and a father-son duo were arrested in Ukraine by French Police – all charged with deploying LockBit ransomware worldwide and attempting to extort its victims.

Mickey Bresman, CEO of AD security and recovery platform Semperis declares the latest developments in the LockBit saga “worthy of its own Netflix series.”

"Make no mistake that the ransomware scourge of the past five years has gotten the attention of NCSC, Interpol, FBI, and other global law enforcement agencies, Bresman said. “They fight on a daily basis to disrupt the unlawful actions of LockBit, BlackBasta, Cl0P, ALPHV, and numerous other gangs,” he said.

Bresman said the evolving situation “allows another peek behind the curtain of cybercriminal activity."

However, on Monday, it appeared LockBit was back to business as usual, as reports began to surface of a ransomware attack on Ernest Health, a network of rehabilitation and long-term acute care hospitals spanning a dozen states coast to coast.

"LockBit is back to attacking hospitals. Ernest Heath allegedly breached, " cybersecurity analyst and security researcher Dominic Alvieri posted on X.

The 36 speciality hospitals run under Earnest Health are located in Arizona, California, Colorado, Idaho, Indiana, Montana, New Mexico, Ohio, South Carolina, Texas, Utah, Wisconsin, and Wyoming, according to its website.

Cybernews has reached out to Ernest Health and is awaiting a response.

Meanwhile, soon after the group resurrected its dark web presence, also LockBit’s administrative staff released a roughly 20-thousand word response to the FBI, written in both English and Russian.

Vx-underground posted a summary of the lengthy diatribe on X.

"In summary: they claim they failed to keep their systems up-to-date because they had become 'lazy', and they had become complacent. They believe they were compromised by CVE-2023-3824, but are not totally sure. They also speculate it could have been a zero-day exploit. They also speculate other RaaS groups (their competitors) may have been compromised, " the post said.

"They also speculate the reason why the FBI took such aggressive action was because a recent ransomware attack performed by one of their affiliates had sensitive information on former President Donald J. Trump. They state they believe their affiliates should target government entities more often to illustrate government vulnerabilities and flaws," vx-underground added.

LockBit also speculated authorities used a vulnerability in the PHP programming language (widely used to build websites and online applications) to hack the site.

"All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies," the gang wrote.

LockBit FBI response
LockBit new dark leak site

LockBit's own website was used by police to taunt its ringleaders, and last Friday police insinuated its leader "LockBitSupp" was cooperating with law enforcement, without providing details.

"They want to scare me because they cannot find and eliminate me, I cannot be stopped," LockBit stated.

The new LockBit site pretty much looks like the old one, showing a gallery of company names, with a countdown clock waning its victims to pay up by the deadline or risk having their data published online or sold to the highest bidder.

LockBit new site
LockBit new dark leak site

Bresman called the public exchanges between law enforcement and LockBit “a mind game for credibility.”

"Overall, the fight between defenders and adversaries is an around-the-clock battle and it was only a matter of time before the group resurfaced in its entirety or its members joined other ransomware groups," Bresman said.

“The evil doers operate like any other organized corporation, with vendors and supply chains, similar to what we are custom to seeing in the typical company operation," he said.

LockBit noted in its statement, that the FBI said it "obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors."

The FBI had claimed to have access to "1000 decryptors [sic], although there were almost 20000 decryptors [sic] on the server, most of which were protected and cannot be used by the FBI," LockBit argued, taking the time to "name" the FBI as the first victim on the revamped site.

LockBit mimics FBI mockup
LockBit new dark leak site

LockBit has been rumored to be currently working on the 4th iteration of its stealthy LockBit 3.0 aka LockBit Black variant.

And on Friday, new threat research released by Sophos X-ops, showed some of LockBit affiliates still operating and using the gang’s 3.0 ransomware variant to attack victims.

Bresman points out that “cybercrime is a well-organized operation, and as such we need to have a well-organized defense to tackle it.”

Besides recommending companies always assume the breach position and have a robust backup and recovery plan, Bresman notes that, “overall, it doesn’t pay-to-pay ransoms, ever.”

Instead, he says companies should have a plan that allows choices. “Organizations can fight back and make it, so the criminal activity of ransom doesn’t carry the reward that the criminals are after,” he said.

According to the Cybernews ransomware monitoring tool, Ransomlooker, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months, netting the gang profits in the multi-billions.

Big gets for LockBit in 2023 included companies such as Boeing and Allen & Overy, as well as the massive November exploit of the Citrix bug zero-day vulnerability.

More from Cybernews:

UnitedHealth's Change Healthcare hack blamed on ALPHV/BlackCat

LoanDepot reveals what data was exposed in Jan hack affecting 17M

The true cost of ransomware: 78% saw attackers coming back for more

Travelers targeted with Booking.com refund malware 

The Fediverse: a new era for social media or just a fad? 

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked