Pierluigi Paganini
February 26, 2024
Last week, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
Now the LockBit gang is attempting to relaunch its RaaS operation, the group has set up a new infrastructure and is threatening to carry out cyber attacks on the government sector.
“Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not.” wrote the gang.
In a couple of days, the gang added 12 entries to its website, five of them are new victims of the group. It seems that the group is re-populating its tor leak site.
The new leak site also includes an entry for the FBI that contains a long message to the law enforcement agency. According to the message, the FBI hacked the gang’s infrastructure because they didn’t want to leak information Fulton County. The ransomware gang claimed to have stolen documents containing a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.
Below is the entire message published by the gang:
"What happened. On February 19, 2024 penetration testing of two of my servers took place, at 06:39 UTC I found an error on the site 502 Bad Gateway, restarted nginx - nothing changed, restarted mysql - nothing changed, restarted PHP - the site worked. I didn't pay much attention to it, because for 5 years of swimming in money I became very lazy, and continued to ride on a yacht with titsy girls. At 20:47 I found that the site gives a new error 404 Not Found nginx, tried to enter the server through SSH and could not, the password did not fit, as it turned out later all the information on the disks was erased. Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully penetration tested most likely by this CVE https://www.cvedetails.com/cve/CVE-2023-3824/ , as a result of which access was gained to the two main servers where this version of PHP was installed. I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed. The new servers are now running the latest version of PHP 8.3.3. If anyone recognizes a CVE for this version, be the first to let me know and you will be rewarded. The problem doesn't just affect me. Anyone who has used a vulnerable version of PHP keep in mind that your server may have been compromised, I'm sure many competitors may have been hacked in the same way, but they didn't even realize how it happened. I'm sure the forums I know are also hacked in the same way via PHP, there are good reasons to be sure, not only because of my hack but also because of information from whistleblowers. I noticed the PHP problem by accident, and I'm the only one with a decentralized infrastructure with different servers, so I was able to quickly figure out how the attack happened, if I didn't have backup servers that didn't have PHP on them, I probably wouldn't have figured out how the hack happened. The FBI decided to hack now for one reason only, because they didn't want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election. Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet. If it wasn't for the FBI attack, the documents would have been released the same day, because the negotiations stalled, right after the partner posted the press release to the blog, the FBI really didn't like the public finding out the true reasons for the failure of all the systems of this city. Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked, because you do not cause any critical damage, you bring only benefit. What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not. Even if you updated your PHP version after reading this information, it will not be enough, because you have to change the hoster, server, all possible passwords, user passwords in the database, audit the source code and migrate everything, there is no guarantee that you have not been hardened on the server. There is no guarantee that the FBI does not have 0day for your servers about which they have already learned enough information to re-hack, so only a complete change of everything that can only be replaced will help. All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies. As a result of hacking the servers, the FBI obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors, they claim 1000 decryptors, although there were almost 20000 decryptors on the server, most of which were protected and cannot be used by the FBI. Thanks to the database they found out the generated nicknames of the partners, which have nothing to do with their real nicknames on forums and even nicknames in messengers, not deleted chats with the attacked companies and accordingly wallets for money, which will be investigated and searched for all those who do not launder crypto, and possibly arrest people involved in laundering and accuse them of being my partners, although they are not. All of this information has no value because it is all passed to the FBI and without hacking the panel, after every transaction by insurance agents or negotiators. The only thing that is of value and potential threat is the source code of the panel, because of it is probably possible future hacks if you let everyone into the panel, but now the panel will be divided into many servers, for verified partners and for random people, up to 1 copy of the panel for 1 partner on a separate server, before there was one panel for everyone. Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced. Leak of the panel source code was also happening at competitors, it didn't stop them from continuing their work, it won't stop me either. The FBI says they received about 1000 decryptors, a nice figure, but it doesn't look like the truth, yes they received some unprotected decryptors, those builds of the locker that were made without the "maximum decryptor protection" checkbox could only be received by the FBI in the last 30 days, it's not known on what day the FBI got access to the server, but we know exactly the date of CVE disclosure and the date when PHP generated an error, before Feb 19th the attacked companies were regularly paying even for unprotected decryptors, so there is a chance the FBI were only on the server for 1 day, it would be nice if the FBI released all the decryptors to the public, then you could trust them that they really own the decryptors, not bluffing and praising their superiority, not the superiority of 1 smart pentester with a public CVE. Note that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransoms, i.e. even if the FBI has 1000 decryptors, they are of little use, the main thing is that they didn't get all the decryptors for the entire 5 years of operation, which number is about 40000. It turns out that the FBI were only able to get hold of 2.5% of the total number of decryptors, yes it's bad, but it's not fatal. - From this significant moment, when the FBI cheered me up, I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free. Probably, everyone has already noticed how beautifully the FBI has changed the design of the blog, no one has ever been given such honors, usually everyone just put the usual plug with the praise of all the special services of the world. Although in fact only one person from all over the planet deserves praise, the one who pentest my site and picked up the right public CVE, I wonder how much he was paid, how much was his bonus? If less than a million dollars, then come work for me, you'll probably make more with me. Or just come talk to me at tox 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 remember that I always have an active bug bounty program and I pay money for bugs found. FBI doesn't appreciate your talents, but I do and am willing to pay generously. I wonder why the alpha, revil, hive blogs were not designed so nicely? Why weren't their deanons published? Even though the FBI knows their identities? Strange isn't it? Because with such stupid methods FBI is trying to intimidate me and make me stop working. The FBI designer should work for me, you have good taste, I especially liked the new preloader, in the new update I should do something similar, USA, UK and Europe revolve around my logo, brilliant idea, right there made me feel very good, thanks. A couple of my partners were arrested, to be honest I doubt that very much, they are probably just people who are laundering cryptocurrencies, maybe they were working for some mixers and exchangers with drops, that's why they were arrested and considered my partners, it would be interesting to see the video of the arrest, where at their homes, Lamborghinis and laptops with evidence of their involvement in our activities, but I somehow think we will not see it, because the FBI arrested random people to get a certificate of merit from the management, say look there are arrests, we are not getting money for nothing, we are honestly working off taxes and imprisoning random people, when real pentesters quietly continue their work. Basssterlord is not caught, I know Basssterlord's real name, and it's different than the poor guy the FBI caught. I don't know any military journalist from Sevastopol Colonel Cassad, and I never donated to anyone, it would be nice if the FBI showed the transaction so I could check on the blockchain where they drew such conclusions from and why they claim it was me who did it, I never do any transaction without a bitcoin mixer. If I may have used the same cryptocurrency exchange service that someone from Evil Corp used it absolutely does not mean I have anything to do with Evil Corp, again where are the transactions? How do I know who is using which exchanger? I use different exchangers and I don't concentrate all my money on one cryptocurrency exchanger. Let's blame the hundreds of other people who use publicly available exchanges on Evil Corp. I really dislike that all such throw-ins are made without publishing transactions and wallets, thus it is impossible to verify what is true. You can accuse me of anything without proving anything, and there is no way I can refute it, because there are no transactions and bitcoin wallets. The FBI states that my income is over 100 million dollars, this is true, I am very happy that I deleted chats with very large payouts, now I will delete more often and small payouts too. These numbers show that I am on the right track, that even if I make mistakes it doesn't stop me and I correct my mistakes and keep making money. This shows that no hack from the FBI can stop a business from thriving, because what doesn't kill me makes me stronger. All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid. I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete. With competitors who will make more money and attack more companies, and with the FBI whether they can catch me or not, and I'm sure they can't, looking at the way they work. The FBI promised to publish my deanon but they didn't fulfill their promise, these people dare to lie about me supposedly not deleting stolen information of companies after paying the ransom, clowning around. It turns out that the FBI officially recognized themselves as liars and they lie very often, as my familiar lawyers Arkady Buch, Dmitry Naskavets and Victor Smilyanets stated, now I believe them 100%. They made a foolish attempt to discredit me by claiming that I work for the FBI, a man who encrypts US companies every day and makes hundreds of millions of dollars does it with the approval of the FBI? Is that how it works? Very clever. You're thinking, why would I work for hundreds of millions of dollars? And I will answer that I am just bored, I love my work, it brings me joy from life, money and luxury do not bring such joy as my work, that's why I am ready to risk my life for the sake of my work, that's how bright, rich and dangerous life should be in my opinion. *when I write the word FBI I mean not only FBI, but also all their assistants, who know how to arrest servers of partners, which act as the first lining after stealing data from the attacked company and do not represent any value: South West Regional Organized Crime Unit in the U.K., Metropolitan Police Service in the U.K., Europol, Gendarmerie-C3N in France, the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany, Fedpol and Zurich Cantonal Police in Switzerland, the National Police Agency in Japan, the Australian Federal Police in Australia, the Swedish Police Authority in Sweden, the National Bureau of Investigation in Finland, the Royal Canadian Mounted Police in Canada, and the National Police in the Netherlands. So please don't take offense, I haven't forgotten about you, you were also very helpful in this operation. But let me remind you that personally I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from Prodaft."
The message concludes with a list of backup blog domains that cannot be shut down by the FBI because Lockbit admins have addressed the PHP issues exploited by feds in the Operation Cronos.
The FBI breached two main servers of the gang that were running outdated PHP versions vulnerable to the flaw CVE-2023-3824.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Lockbit)
