It seems the LockBit takedown didn’t last long. The ransomware-as-a-service (RaaS) group has launched it’s leaks site again.
On February 19th 2024 the NCA and FBI, in a joint effort, took down LockBit’s infrastructure that spanned three countries. Now, a week later, the group’s leader “LockBitSup” posted a statement saying, “Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment.”
In the letter said that the FBI couldn’t reach backup blog domains because they didn’t have PHP installed, suggesting there was a vulnerability exploited by law enforcement. Their leader calls attention to CVE-2023-3824 in which a buffer overflow could be created in PHP versions 8.0.* – 8.0.29, 8.1.* – 8.1.21, and 8.2.8. Calling it “negligence” on their part.
At this time it has not been released how the sites were compromised.
The leader went on to say that it took four days to recover since they had to edit the source code for the latest version of PHP. The letter included links for some of the ransomed companies’ should they refuse to pay. Several others “will be published later in a new blog” they said.
While the initial impact was felt in LockBit, its not likely it will hinder future operations do to the nature of RaaS and cloud infrastructure.