LockBit ransomware gang infrastructure reported down


A ransomware-monitoring website reported that the infamous LockBit gang might have been taken offline - now, it looks as if the incident was a false alarm.

Article update: 6:15pm EST. It appears all but one of the nine LockBit 3.0 dark mirror sites are back online. Many of the LockBit 2.0 mirror sites are listed as "REBRANDED TO LB 3."

Article update: 6:35pm EST. LockBit Blog, LockBit Private Note, and LockBit File Share sites are all back online. LockBit, and LockBit 2.0 Deep are not.

ADVERTISEMENT

The deep-web intel-watch site Dark Feed tweeted about the possible disruption of the Russian-linked group Tuesday afternoon at 3:44pm EST.

With the most recent FBI takedowns of the popular hacker forum Breached and the globally disruptive Hive ransomware gang earlier this year, an infrastructure takedown of the high-profile LockBit syndicate is not an outlandish thought.

"It doesn't happen a lot, but it looks like all of LockBit's ransomware team infrastructure is down," the Dark Feed tweet stated, along with an image of what appears to be a link to LockBit's dark-web onion address, a hidden domain usually accessible via a Tor browser.

The tweet had over 3,000 views at the time plus numerous comments.

The Cybernews team also found all the LockBit URLs it had on file for the gang were returning the same "502 Bad Gateway" on the nginx open-source server.

Our news team has about a dozen different URLs, otherwise known as mirror links, that would typically lead a user to the same LockBit victim leak site.

Lockbit down
All LockBit URLs and mirror sites Tuesday afternoon on the dark web
ADVERTISEMENT

The Cybernews team noted that LockBit is known to change its URLs often, which seemed to be the case in this instance, as we watched most of the downed LockBit links slowly come back online.

At 4:20pm EST, cyber threat analyst Alexander Leslie from Recorded Future also pointed out to colleagues on Twitter, "This happens sometimes, usually as the result of an update."

"It’s been sporadically offline since about 10:00 ET (14:00 UTC). I can confirm that LockBitSupp is currently online. I think that the blog will return soon. If not, I’d start to get suspicious around 24 hours in…," the tweet said.

Another industry insider, a cybersecurity threat analyst at Emsisoft, couldn't help but poke fun at the situation in a Twitter post of his own, joking about the LockBit victim-leak site suffering the same fate as the Hive gang.

The LockBit ransomware gang has been around since 2019 and is known for its malware of the same name, originally called the ".abcd virus."

The LockBit malware has since evolved into a 2.0 and 3.0 version.

It primarily operates as a Ransomware-as-a-Service model (RaaS), keeping roughly a 25% portion of the ransom profits paid to the affiliates who hire the criminal group to carry out the attacks.

The notorious ransom gang boasts more than 1,500 victims, claiming to have infiltrated 51 organizations alone in the month of February, including the UK postal service Royal Mail in January.

LockBit ransomware gang most recently claimed the City of Oakland as their latest victim. The group uploaded the City of Oakland's files to the LockBit leak site on March 21.

ADVERTISEMENT

LockBit had reportedly demanded a $2 million in payment from the city for the release of its encrypted files by April 10.

The group has also been linked to other Russian-affiliated cartels such as Conti, its successor Black Basta and DarkSide, and its descendants BlackMatter and BlackCat/ALPHV.

Cybernews will follow the story.