The authorities of ten countries, including France, announced on February 19 that they had seized the digital spaces of the Russian-speaking hacker group LockBit, as part of operation “Cronos”. 34 servers were then dismantled, as well as the main site and 22 sites linked to the network. A short-lived “dismantling”, since on February 24, the cybercriminal group known for its ransomware attacks put a new showcase site online, contradicting the police and displaying the first five alleged victims.
On the dark web, LockBit minimizes the police operation
In a long message published on the darknet and written in the first person, LockBit explains that the police, called by shortcut “the FBI”hacked two main servers, “because during five years of rolling in gold, I became very lazy”. He adds : “Due to my personal negligence and irresponsibility, I relaxed and did not update the PHP servers on time.” An oversight which would have allowed the police to exploit a security flaw in the PHP programming language. The group is unable to determine whether the vulnerability, identified as CVE-2023-3824, was already identified or not.
Advertisement
LockBit took advantage of this message to contradict the information obtained by law enforcement. According to him, the operation was accelerated by ransomware against Fulton County, Georgia in the United States, the same place where Donald Trump was arrested last summer before being released. The virus would have made it possible to steal documents from “Donald Trump’s legal affairs”reason why “the FBI” would have intervened.
The criminal group also points out that the authorities could only have obtained a few decryption keys present on the servers, while the police collected more than 1,000. For many cybersecurity experts, this publication from LockBit on the darknet is more of an attempt to minimize Operation Cronos, in order to restore its credibility.
Twelve new victims, including a French logistics group
Even though the group's infrastructure was seriously damaged, the hackers resurfaced this weekend. They kept the brand name, and moved their site to a new “.onion” address. On this site, they exposed the first five victims on Saturday, then seven more on Sunday. A noisy method of the group, which here consists of displaying the name of the hacked site, a short description and a countdown before publication of sensitive data.
Among the alleged victims exposed on this new site is the Fulton County government, having suffered several cyberattacks since January. Several American companies were targeted, such as a national network of dental laboratories, industrial and maintenance groups – Dunaway and STS Aviation Group – and MCS360, a real estate services company. British and Australian companies have also been targeted.
Advertisement
A French company is also part of the lot: Idea, a group specializing in logistics and industrial packaging. Mainly based in Loire-Atlantique, the company employs nearly 2,000 people. It has expertise in many sensitive sectors, such as aeronautics, defense and energy. The cybersecurity company Sophos has finally identified new attacks from LockBit 3.0 malware in recent days, particularly against ConnectWise from ScreenConnect, a remote workstation support solution. None of these victims confirmed being attacked.
At the origin of 27% of ransom demands
Described by Europol as the hacker group “the most prolific and dangerous in the world”, LockBit has reportedly received $91 million since 2019. It is believed to be responsible for 2,000 cyberattacks worldwide. In August 2022, he attacked the Corbeil-Essonnes hospital, demanding one million dollars, before publishing patient health data. The gang is believed to be behind 27% of ransom demands in France.
Selected for you