(Credit: Shutterstock/Pressmaster)
The infamous Lockbit ransomware gang is still active and shared data from five cyberattacks this week despite a global law enforcement infiltration last month.
Lockbit purportedly posted data from five new victims on its dark web site Thursday, according to cybersecurity firm Falcon Feeds. The victims appear to be two US manufacturing firms, a US infrastructure engineering company, a Canadian oil and energy services company, and a British accounting firm.
But Brett Callow, threat analyst at Emsisoft, tells PCMag via email that Lockbit is presenting the data as new attacks when, in fact, the ransomware group is just offering new data. "None of Lockbit’s new postings seem to relate to new incidents. They’re posting data from old attacks, likely in an effort to rehab their rep and convince affiliates and other business partners that all is well (which it isn’t)," Callow says.
"Because companies often don’t release details of incidents, it’s impossible to say for sure but, until recently, it certainly appeared that they were posting data from old incidents," Callow continued.
The US Department of Justice, FBI, as well as the UK's National Crime Agency (NCA) and other agencies involved previously said they had compromised Lockbit's operations. The FBI seized Lockbit's servers, the law enforcement agencies took an estimated 1,000 decryption keys, and the NCA declared it had "hacked the hackers."
But within a week of the news, Lockbit ransomware hackers were back online, claiming to have been able to preserve their backup servers that didn't use PHP, which was reportedly the government agencies' means of entry.
Two alleged Lockbit affiliates were arrested in the Ukraine last month, and the US identified two Russian nationals allegedly connected to the ransomware group and called for their arrest. This month, another previously arrested Russian-Canadian Lockbit member was sentenced to four years in prison for infecting over 1,000 victims with Lockbit ransomware.
But the group's activities appear to be ongoing. The supposed anonymous leader of Lockbit claimed in an interview with The Record this week that they are continuing to attack victims and that while some of Lockbit's members got "scared," "most" are still working to deploy ransomware attacks.
"The FBI was not able to completely destroy my infrastructure," the Lockbit leader said.
The NCA previously told PCMag that it anticipated Lockbit would try to resurrect itself, and said that it will continue to work to dismantle the group.
Lockbit's software has been used for attacks against Boeing, dental insurance firms, and Subway. Apple Silicon Mac computers aren't immune, either.
Editors' Note: This story has been updated to include comment from Callow.