DIGITAL LIFE

Ransomware group Lockbit was attacked and saw data exposed without the right to demand ransom

This is what you could call “a taste of one’s own medicine”. Lockbit was attacked and databases of the group that attacked dozens of companies were exposed, revealing new details and showing that the organization is not dead.

Last year, several alleged leaders of the Lockbit group were arrested and the operation dismantled. Websites and infrastructure remained online and have now been the target of a cyber attack, which left a message and exposed data from the organization that, after all, does not seem to be completely dead. The hacker or hackers responsible for the attack redirected the organization’s website to a page where the message reads: “Don’t do crime CRIME IS BAD xoxo from Prague” - “Don’t comment on crimes, crime is bad, xoxo from Prague”.

Next to the message there is a link that gives access to a compressed file of a database stolen from the collective. The data records show activity between December 2024 and April 29, as reported by the GovInfo Security website, and more information that may be useful in understanding Lockbit's modus operandi and who was acting on its behalf. "Although there is still no official confirmation, the data appears legitimate and highly revealing," Alon Gal, CTO of the security company Hudson Rock, admitted in statements to the publication.

Several security researchers are already working on the shared information and providing details about what they are finding. Valery Rieß-Marchive, a French researcher, published on LinkedIN that he identified 75 affiliate accounts in the database: 35 are paused and 14 were last online on April 29, the day the hack apparently took place. He found that, among all the affiliates, only two had privileges to lead negotiations with the attacked entities. The two accounts appeared to be frequently used by the same person. Among the relevant information will also be cryptocurrency wallet addresses, which could be important for establishing connections. 

Identifying who paid and who received the ransoms, reaching more affiliates of the group, which withheld data from companies and blackmailed them, demanding money in exchange for returning it or not revealing it. Milivoj Rajić, head of intelligence at DynaRisk, told Information Security Media Group that he has only just begun to “sweep” the 59,975 Bitcoin wallet addresses included in the database and has already verified that some have funds.

The exposed information also includes profile data of Lockbit victims, such as domains or information on estimated annual sales, as well as other tools used by affiliates, including the recording of conversations between members and victims in group chat.

Another security researcher posted on the social network X that he managed to obtain a comment from the Lockbit group about this attack. It is said that the attack only managed to get past an automatic registration panel, “not a single decryptor, nor the stolen data from companies was damaged”. The group has since published a message saying more or less the same thing, adding that it has a reward for anyone who provides data that helps identify the author of the attack.

mundophone