Lockbit, the leading ransomware gang, was the victim of a cyberattack on April 29. The gang's official website now displays the following message: "Don't do crime, crime is bad, xoxo from Prague". All of the gang's administration panels display the same message. Apparently, a cybercriminal from Prague in the Czech Republic managed to break into Lockbit's servers.
Sensitive and valuable data
On the gang's website, the hacker also makes a MySQL database available. This directory contains a wealth of sensitive data on the activities of Lockbit's cybercriminals. Our colleagues at Bleeping Computer, who combed through the directory, found a list of the gang's 59,975 Bitcoin addresses, 4,442 negotiation messages between Lockbit and its targets, and some of the words used by the ransomware's 75 administrators and affiliates. It also contains attack configurations for specific targets.
As expert Clément Domingo explains on his X account, it's "a gold mine" for "cybersecurity researchers, intelligence agencies, and certain cybercriminal groups." With the compromised data, it's possible to uncover Lockbit's activities and track all their misdeeds, including their cryptocurrency transactions. This is ideal for tracking ransoms paid by victims. In the eyes of Clément Domingo, this new data leak "could definitively bury Lockbit." The same goes for Bleeping Computer, which suggests that this could be the "final nail in the coffin" of the gang.
Lockbit Downplays the Impact of the Data Leak
In a conversation with another hacker, Lockbit's leader, LockBitSupp, confirmed the data breach, while downplaying the impact of the incident. He clarified that the ransomware's source code was not compromised, nor were the decryption keys. Lockbit's business model is not at risk. He adds that the leak does not affect companies that have already been hacked by him. The cybercriminal, whose identity was disclosed last year by the FBI, claims to have already returned to work.
Clément Domingo points out that the hacked Lockbit site is "accompanied by a message identical to the one left during the hack of the Everest ransomware group." Last month, the gang was indeed the target of a cyberattack. The gang's dark web site, which had more than 230 victims, went offline, displaying the same mysterious message. This message suggests that it is the same hacker who compromised the Everest and Lockbit servers. It could also be a copycat.
This is not the first time that Lockbit has suffered a cyberattack. Last summer, the group faced a barrage of DDoS attacks, which temporarily took its entire platforms offline. Furthermore, Lockbit found itself in the crosshairs of the law last year. During the winter, a major police operation led by the FBI hit Lockbit. Law enforcement managed to take control of part of the gang's infrastructure and arrest some of its members. Later, it also emerged that the FBI had obtained some of the criminals' decryption keys.
Lockbit quickly resurfaced with a series of cyberattacks against US companies and government entities. Despite the authorities' efforts, the group returned to the forefront. The gang, however, appeared weakened, resulting in a notable drop in the number of extortion operations.
Source: Bleeping Computer
0 Comments