A hacker behind the LockBit ransomware site has boasted that its shutdown was because he got ‘very lazy after five years swimming in money’ as the gang claimed to be operating again a week after being taken down by ‘Britain’s FBI’.
The shadowy Russian-linked outfit was the target of an unprecedented international law enforcement operation last week which saw some of its members arrested and charged.
But after being taken down by an international coalition led by the National Crime Agency the cybercrime gang says it has restored its services and is back in business.
In a post on the dark web, Lockbit claimed it started to notice problems early in the morning of February 19, but things went back to normal. ‘I didn’t pay much attention to it, because for 5 years [sic] of swimming in money I became very lazy,’ they wrote.
Lockbit, which accounts for up to a quarter of ransomware attacks, has been causing havoc by hacking into computer systems and stealing sensitive data which it then threatens to release unless the victims pay an extortionate ransom.
Mikhail Pavlovich Matveev is one of five Russians charged over Lockbit, which has been described as the world’s most dangerous ransomware gang
LockBit’s website was last week taken down. Visitors to the Lockbit website now see a message saying it is ‘under the control of law enforcement’. But the hackers have now set up a new site
The NCA had released a video revealing how the group operates
The Russian-speaking hackers make money by selling their services to fellow crime gangs, with targets including Royal Mail, the NHS, Porton Down and hundreds of companies in the UK and abroad.
Last week, the NCA, FBI, Europol and other policing agencies announced it had seized some of the group’s servers, stolen data and cryptocurrency addresses.
Seven suspects have been arrested so far and five people have been charged, including two Russians, Mikhail Vasiliev, who is being held in Canada, and Ruslan Magomedovich Astamirov, who is in the US.
The remaining three – Artur Sungatov, Ivan Kondratyev and Mikhail Pavlovich Matveev – remain at large. The FBI is offering a $10million reward for information leading to the arrest of Matveev, who goes by the alias ‘Wazawaka”.
But the cybercriminals have refused to bow down to the authorities and have set up a new website on the dark web.
Releasing a lengthy statement, a member of the group said the FBI was able to seize its servers ‘due to my personal negligence and irresponsibility’.
The statement, posted in English and Russian, also said: ‘I relaxed and did not update PHP [website software] in time.
‘All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies.’
The latest website also posted what it claimed was new hacked data.
A spokesperson for the NCA, which led the international effort to seize Lockbit’s operations, said the group ‘remains completely compromised’.
‘We recognised Lockbit would likely attempt to regroup and rebuild their systems. However, we have gathered a huge amount of intelligence about them and those associated to them, and our work to target and disrupt them continues,’ the NCA said on Monday.
The new Lockbit darkweb site showed a gallery of company names, each attached to a countdown clock marking the deadline within which that company was required to pay ransom.
‘They want to scare me because they cannot find and eliminate me, I cannot be stopped,’ said the statement, which was presented as part of a mock-up leak from the FBI.
The statement also declared an intention to vote for Donald Trump in the US presidential election and offered a job to whoever hacked LockBit’s main site.
The NCA previously called the group the ‘Rolls-Royce’ of ransomware and said it behaved like a ‘legitimate businesses’, with a ‘slick, easy to use’ website and marketing gimmicks including $1,000 for anyone who gets a tattoo of its logo.
Visitors to its Lockbit’s old website were greeted with a message revealing it is ‘under the control’ of the NCA, which targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol.
They said the ‘permissive environment’ in Russia allowed the group to operate – with gangsters never targeting nations in the former Soviet Union – but do not believe the the regime of Vladimir Putin was directly involved.
Lockbit was recently revealed to have stolen secret military and defence material from the HMNB Clyde nuclear submarine base, the Porton Down chemical weapons lab and a GCHQ listening post. This was then shared on the dark web.
Information about a specialist cyber defence site and some of Britain’s high security prisons was also stolen in the raid on Zaun, which makes fences for maximum security sites.
British police targeted the site as part of a taskforce of 10 countries that includes the FBI and Europol
A previous Lockbit attack targeted Porton Down. Pictured is the Dstl high containment lab at the high-security facility in Wiltshire
Lockbit either carries out attacks for its own gain or is paid by other criminal gangs
Lockbit also hacked the Royal Mail Group in January and made ransom demands of £66million at the time. The company did not pay the extortionate fee but saw its services disrupted and had to spend £10million on anti-ransomware software.
It has also been linked to attacks on international law firm Allen and Overy and China’s biggest bank, ICBC.
NCA Director General, Graeme Biggar, last week said Lockbit had been the ‘most prolific’ ransomware group in the last four years, responsible for 25 per cent of attacks in the last year.
He told a press conference in London that there were at least 200 victims in the UK and thousands abroad, leading to billions of pounds worth of damages – both in ransom payments and the cost of responding to attacks.
‘We have hacked the hackers, taken control of their infrastructure and seized their source code,’ Mr Biggar said.
‘We have arrested, indicted and sanctioned some of the perpetrators and gained intelligence on the criminals using the software – who we will now continue to pursue.
‘As of today, Lockbit is effectively redundant – Lockbit has been locked out.’
Paul Foster, head of the NCA’s national cybercrime unit, said that LockBit’s popularity was partly because it was so easy to use.
He said: ‘LockBit had established itself as the preeminent ransomware strain over the last four years and one of the reasons for this was its intuitive platform and its relative ease of use.
‘That means just with a few simple clicks even the less technically savvy cybercriminals used LockBit to deploy ransomware.
‘Another key reason for their past criminal success was the marketing and branding that underpinned LockBit. They had a slick website and they had loyal customers.
‘They ran a successful marketing campaign that included a promise to pay 1,000USD to anybody who had the LockBit logo tattooed on themselves.’