The hacker group LockBit is already back, barely a week after an international police operation allegedly took the collective offline. Lockbit communicates very professionally about what happened and what steps are being taken.

Operation Cronos had limited success. After the FBI and Europol, among others, took the online “services” of the digital criminal organization LockBit offline last week, the collective is celebrating a comeback. LockBit is considered one of the most important hacker groups on the Internet and its ransomware has already claimed victims at large companies, municipalities and even children’s hospitals.

In addition to taking LockBit’s website offline, Operation Cronos was also able to disrupt the infrastructure behind the ransomware campaigns. However, LockBit managed to restore this infrastructure within a week and offer its ransomware services again.

Swimming in money

The hacker behind LockBit communicates transparently about the incident in a somewhat unique style and takes responsibility. The beeping computer saw the statement. “Because I was swimming in money for five years, I became very lazy,” he said. “Due to my own negligence and irresponsibility, I did not update PHP.” The server in question was running PHP 8.1.2 and was vulnerable to the CVE-2023-3824 bug. Through this leak, the police services managed to gain access.

LockBit will immediately announce measures. Of course, the new infrastructure has the necessary updates. In addition, LockBit works with a structure of subcontractors. In this regard, the hacker collective can be viewed as a traditional software company from which other organizations, large and small, can purchase different licenses. Operation Cronos captured decryption software for several of these lighter licenses, allowing some victims to recover their data without paying LockBit. This is not a good thing for these subcontractors, so LockBit is reviewing its internal processes.

Security infrastructure will be modernized and there will be more decentralization. Spreading the subcontractors’ infrastructure across multiple servers should make it more difficult to cause too much damage in the event of a government attack.

The return of LockBit is not a good thing for internet security. The group also says it will attack additional (American) government websites to determine whether the FBI is truly capable of fighting back.

Transparent communication

What is striking is that the criminal organization communicated quickly, transparently and completely about the incident. LockBit takes responsibility, clearly explains what went wrong, shows the impact on customers and explains how such problems can be prevented in the future. Just like a legitimate organization, Lockbit wants to limit the damage to its reputation after a hack. After all, the customers who paid LockBit money but now see that their ransom attacks have been neutralized will not be too happy with the secret company. Open communication helps restore trust. Ironically, many of LockBit’s victims can learn something from this transparent and fast communication.