LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches

Written by

The impact of Operation Cronos continues to hinder the LockBit ransomware group’s operations and the gang begun posting fake victim claims to its leak site.

Almost 80% of victim entries that appear on the group’s new data leak site post-Operation Cronos are illegitimate claims, according to a new report by Trend Micro, a Japanese cybersecurity firm that took part in the law enforcement operation that took down Lockbit’s infrastructure on February 19, 2024.

Over two-thirds of the listed victims (68%) were reuploads from attacks that occurred before Operation Cronos and 10% were victims of other ransomware groups – namely ALPHV/BlackCat and RansomHub.

Trend Micro also found that 7% of the post-Operation Cronos uploads had quickly been removed.

“14 victims were still not published and we did not find any public data other than the posts on the LockBit site that claim to verify the actual attack dates,” added the report.

LockBit leak site victim information post-Operations Cronos. Source: Trend Micro
LockBit leak site victim information post-Operations Cronos. Source: Trend Micro

Based on this analysis, Trend Micro assessed that LockBit is trying to manipulate its new leak site by populating it with fake victim data and giving it an appearance of normalcy, as if the group was fully back and running.

Other suspicious behaviors, such as removing victim names before the end of the countdown timer and uploading victims in batches, also support this hypothesis.

Read more: What You Need to Know about Operation Cronos

Impact of Operation Cronos on LockBit’s Affiliates

As part of Operation Cronos, Trend Micro revealed that, before the takedown, the LockBit admins were working on a new, platform-agnostic ransomware build that researchers called LockBit-NG-Dev (NG stands for ‘next generation’).

Read more: Who Are the LockBit Admins?

However, the takedown has likely put any such development projects on hold, as LockBit had to focus on restoring its infrastructure.

While LockBit’s kingpin (aka LockbitSupp) promised to return quickly, the group affiliates’ ability to launch new attacks seems severely hampered.

The Trend Micro report shows a clear drop in the number of actual infections associated with LockBit ransomware following Operation Cronos, with only one small attack cluster observed in the three weeks following the disruption.

LockBit infections post-Operation Cronos. Source: Trend Micro
LockBit infections post-Operation Cronos. Source: Trend Micro

On cybercrime forums, users claiming to be LockBit affiliates complained about disruptions to the group’s infrastructure even before the operation was publicly announced.

“An actor using the handle ‘Desconocido’ complained that three ongoing campaigns were affected by the disruption,” the Trend Micro report states.

What’s hot on Infosecurity Magazine?