Unsurprisingly, LockBit ransomware crew has returned

It took less than a week for LockBit to come back online

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Less than a week after the British police and its international partnerstook down LockBit infrastructure, the infamous threat actor is back and ready to resume its nefarious operations.

According toBleepingComputer, theransomware-as-a-service operator has set up a new .onion address, which not only lists five new victims and countdown timers for data leaks, but also a message for law enforcement.

The group reportedly created a mock-up FBI leak image explaining that the attack was successful not because the police did a great job, but because the group became complacent.

Protecting Donald Trump?

Protecting Donald Trump?

“Because for 5 years of swimming in money I became very lazy,” the notification reads. “Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.”

Previously, the operators said the NCA only took down servers running PHP, and that backup systems without PHP were not affected. They also added that the chat panels server and the blog server were running PHP 8.1.2, which were vulnerable to CVE-2023-3824, giving the NCA a window of opportunity to move in and disrupt the operation.

The operators also speculated that law enforcement attacked LockBit because the group obtained sensitive information on Donald Trump’s court cases during the attack on Fulton County in January this year. If leaked, the data “could affect the upcoming US election,” they said.

In retaliation, LockBit will attack “the .gov sector more often” and test its capability to fight back.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The NCA and its international partners recently announced they took down the LockBit website and its infrastructure, which included 34 servers hosting stolen information, decryptors, information on affiliates, and more.

However, as no arrests were made, it was clear that the group was bound to bounce back sooner or later.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

I’ve covered Black Friday for eight years and these are the deals I’d buy from the early sales