Just one week after the takedown of the LockBit ransomware group, it appears their servers are back online. While law enforcement seized their shame site, they appear to have missed LockBit's backup servers, allowing the group to be operational quickly. GroupSense CEO was featured in DarkReading to speak on the group's leader. Read the excerpt below or get the full article here.
One would be well-advised to greet the leader of LockBit with skepticism. "Like a lot of these guys in the ransomware space, he's got quite an ego, he's a little bit volatile. And he has been known to tell some pretty tall tales when it suits his objective," says Kurtis Minder, a ransomware negotiator, and co-founder and CEO of GroupSense.
In his letter, however, the person or persons Minder refers to as "Alex" strikes a notably humble tone.
"Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time," the ransomware ringleader wrote, citing the critical, 9.8 out of 10 CVSS-rated PHP bug CVE-2023-3824 "as a result of which access was gained to the two main servers where this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure."
Crucially, he added, "All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies." Indeed, thanks to this redundancy, LockBit's leak site was back up and running after a week, featuring a dozen victims: a lending platform, a national network of dentistry labs, and, most notably, Fulton County, Georgia, where former president Trump is currently involved in a legal battle.