(Credit: Shutterstock/Standret.)
The Lockbit ransomware group is reportedly back online with new servers.
In a lengthy letter posted online this weekend, Lockbit claims that the international group of government agencies that infiltrated it only obtained decryption keys for 2.5% of the attacks the ransomware group has carried out since its inception.
Last week, the US Department of Justice, FBI, the UK National Crime Agency (NCA), Europol, and others announced their joint infiltration of Lockbit's servers. The US charged two Russian nationals allegedly connected to the ransomware group, and Ukrainian authorities arrested a father-son duo believed to be Lockbit members. At the time, Lockbit administrators said that while their servers that use PHP were infiltrated, their backup servers were "untouched."
The UK's NCA has repeatedly asserted that Lockbit is fully compromised in statements provided to PCMag. "The NCA, working with international partners, successfully infiltrated and took control of Lockbit's systems, and was able to compromise their entire criminal operation," an agency spokesperson told PCMag via email Monday. "Their systems have now been destroyed by the NCA, and it is our assessment that Lockbit remains completely compromised."
"We recognized Lockbit would likely attempt to regroup and rebuild their systems," the NCA continued. "However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues."
In the letter from a purported Lockbit administrator shared by malware data collector VXUnderground, the admin claims that Lockbit members became "lazy" after they stole enough money to let them live a luxurious lifestyle "on a yacht with titsy [sic] girls."
The admin then implies that they are a US voter and says Lockbit's new servers are running a new version of PHP, promising that anyone who reports any critical vulnerabilities for Lockbit's new systems "will be rewarded." Their lengthy letter makes a number of other allegations and contradictory statements, including some regarding the FBI's supposed motives.
The admin admits, however, that even a PHP update "will not be enough" to stop the FBI and other agencies from regaining access to new servers, and argues that servers without PHP are uncompromised. They provide a list of backup domains without PHP, which includes Boeing, among many others.
"Even after the FBI hack, the stolen data will be published on the blog," the Lockbit admin writes. "There is no chance of destroying the stolen data without payment."
International authorities previously shared that they had obtained over 1,000 decryption keys and intend to use them to help Lockbit victims. But Lockbit accuses the government authorities of "bluffing" about how many they've acquired, and shared that about 40,000 keys exist in total.
The DOJ declined to comment. The FBI has not yet responded to PCMag's request for comment.
Editor's Note: This story has been updated to include a response from the DOJ.