NOTE: I started this story before Operation Cronos. Hence you can see tiny details getting unfold before the FBI/Europol Compromise and afterwards. This article mainly focuses on the mighty comeback of LockBit Group and their approach after Operation Cronos and does NOT attribute to the Identity of LockBitSupp. Moreover, it is a collection of events in the LOCKBIT Series observed that had gone unnoticed.

1. INTRODUCTION
2. THE COMEBACK
3. VICTIMIZATION
4. LOCKBIT INFRASTRUCTURE HUNT
5. LOCKBIT MOVING TO TORRENT FILE SHARES
6. VICTIM CASE STUDY: CRINETICS
7. LOCKBIT LEAK HOSTING
8. UNRELATED LOCKBIT DOMAIN
9. LOCKBIT IMITATORS AROUND
10. LOCKBIT AFFILIATE?
11. REALITY CHECK?
12. LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH
13. OPERATION CRONOS: PART 2
14. LOCKBIT TOX STATUS UPDATES
15. CONCLUSION
16. IOC

INTRODUCTION

After the ban of LockBit on forums like XSS or Exploit and Law Enforcement Infiltration of LockBit via Operation Cronos, it is evident that the group had lost a few of their internal files such as Negotiation Panel, Affiliated Member List, Victim Database, Chats and Decryption Keys got exposed to the public and their well-built reputation got a taint.

Initially, on their comeback, LockBit had published past leaks (before Operation Cronos). But the same had been criticized in the infosec community about the re-use of old leaks, the Group had withdrawn it and came back with a fresh batch of victims.

This article is purely going to focus on the 2nd reign of LOCKBIT!

THE COMEBACK

After OPERATION CRONOS Part 1, it took about a week for LockBit to resurface with their all mirror servers back online with listing new victims on their Data Leak Site (DLS).

All the victims are given an average of 29-Day negotiation time frame before leaking the entire data on the LockBit leak servers to the public.

Currently, the victim list is clocked at 200+ (Post Operation Cronos) which signifies their strong presence in the Corporate Ransomware Scenario.

NOTE: Operation Cronos had made a greater impact to cripple LockBit. But the group goes strong defending all the drawbacks.

VICTIMIZATION

LockBit started to victimize more often, even including reputed targets such as the US Government wing DSIB — The Government of the District of Columbia Department of Insurance, Securities and Banking (DISB) regulates financial-service businesses, Polycab, OracleCMS, Nampak, Crinetics, etc.

However, it is found that the victim’s data appears lately on their site, unlike it was a regular upload feature before Operation Cronos.

In some cases (such as Polycab, Krueth and CasaJove); the leaks are not yet listed even after the deadline, which is suspicious. This could be due to the loss of data from LockBit at the time of Operation Cronos OR the victims might have paid the ransom.

While checking the Victim Geography, we can see that the US tops the list; followed by the UK, Germany, Canada, India, and France.

NOTE: While analyzing the data, it was found that LockBit had listed 235 Victims (ATTOW) after Operation Cronos Part 1 & 2. For info, you may contact me.

LOCKBIT INFRASTRUCTURE HUNT

During the analysis, it was found that LockBit maintains a stable server to host large leaks on a new Onion Domain:-

lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion

This leak site is running on nginx/1.25.4; which is the latest version of NGINX (ATTOW) as promised by LockBit to avoid any unpatched versions after Operation Cronos Part — 1.

Their main DLS is the following which is running on nginx/1.24.0

lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion

During my research, LockBit’s original IP got exposed:-

By digging further, we can extrapolate the following details:-

IP: 5.182.5.126 
ASN: 49505
Location: Russia
Server: NGINX 

NOTE: The same IP has a historic connection with a domain: waralbum.ru which was associated with BuhTrap Banking Trojan in 2016

Old LockBit Servers (now controlled by Europol or Operation Cronos) were using Apache/2.4.57 (Debian). The LockBit group had moved to the NGINX server with the newest stable Onion Domains.

LOCKBIT MOVING TO TORRENT FILE SHARES

On March 9, 2024 LockBit Operators made 18 Vanity Onion Domains online listing about 710+ Clients, along with Torrent Files to make downloading easier.

NOTE: All the Onion Domains are listed at the end of the article in the IOC Section

In mid-November 2023: Lockbit decided to make Torrent files for all of its victims for easier accessibility. All victim’s data (Torrent Version) packaged and assigned a 5-Char name instead of a company name such as I85F5, 7E6EE, V4DV5, LIHD9, PLPT7 etc.

While digging further, it is also observed that a file tree for each victim is also being created on the same day i.e. 9th March 2024.

All the torrent trackers of LockBit leaks are connected to:-

http://3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion:6969

Torrenting of Leaks is not a new approach as Clop Ransomware Gang had already used it earlier, back in September 2023. This helps them to club the traffic with the public and the leaked file will stay longer as it’s been shared in a decentralized fashion.

VICTIM CASE STUDY: CRINETICS

Crinetics is being listed by LockBit as the work of a shadow group or an affiliate whose data is not being claimed directly by LockBit.

On 20th March, as an Update; the group had listed 8 screenshots of the negotiation taking place between LockBit and Victim.

The demand was: $4M; but the client could pay up to $1.8M.

On April 2, as the negotiation did not turn up fruitful, the group extended its leak date to 7th April, 2024, along with an explanation stating that LockBit had terminated the communication with the victim who had provided the information to Recorded Future, which failed the instructions provided by LockBit.

Finally, LockBit affiliate closed this chapter on April 11, 2024 by increasing the ransom for Information Destruction and Data Download to $7M.

The BTC Wallets demanded for Crinetics are below mentioned:-

BTC: bc1qdtawyte5qtxgrk6far90tpeh9atfvyqgv5rcxs
XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff

NOTE: It is observed that the Chat Transcript of this client is purposefully put by LockBit on its Shame Page and the same is not observed for any other victims. Either this could be a warning message for the public to prove that the Negotiation takes place in Millions OR this act might not be carried out directly by LockBit but the work of an affiliate.

LOCKBIT LEAK HOSTING

The newly released data of victims (post Europol Episode) are initially hosted in Mega, instead of dedicated LockBit Data Servers as it takes more operational time to upload the databases to LockBit servers.

And later moved to their dedicated LockBit servers.

lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion

lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion (Downloads get pulled from here)

UNRELATED LOCKBIT DOMAIN

While analyzing the data leaks, there is a peculiarity found in the case of Pronat Industries, whose data is not hosted on regular LockBit platform.

bu27ucccflf4bkwssunbtvf6lflhp6ydvbqoxduf62ywzmpmv24wcgid.onion

It’s not a vanity TOR Domain unlike other URLs.

It can be assumed that this could be a non-LockBit affiliate or there could be a storage issue, as LockBit (or affiliates) decided to store it in a separate Onion Domain, unrelated to LockBit.

For this client, they have given BTC and XMR Addresses similar to Crinetics, however the BTC Addresses are different, but XMR remains the same.

BTC: bc1qjwquf4n0j6tc55wg9zymkas2ue484ddxtl70wv
XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff

A new pattern was found for the well-known targets where LockBit extends their Leak Period from 5 Days to an additional 10 days, hence delaying the leak.

LOCKBIT IMITATORS AROUND

It is found that there are various scammers around the cyber corners on various sources such as Telegram Channels, Discord Servers etc. Even sometimes, we can see Ransom Note imitating the LockBit style of attacks.

NOTE: Here, you can see that the imitator had used genuine LockBit URLs and TOX ID to show the genuinity of LockBit. But when it comes to the XMPP, the same ID is present in CryptBB Ransomware which dates back to November 2022.

Many noobs got hold of the leaked build of LockBit and weaponized it to random targets, searching to hit a jackpot. The intended targets may misidentify them as legitimate LockBit and hence may end up paying them.

Here is another chat transcript with a fake LockBitSupp on the Telegram Platform where he charges $500 as a joining fee to a private group:-

In another scenario, the victim companies that are leaked by LockBit are being re-surfaced by other groups such as “Dispossessor” by listing the same LockBit victims. Here you can see the screenshot of the same from their website:-

By observing their victim list, it is found that the group had listed 80% of clients from LockBit and also listed a few victims from 3AM and 8Base as well.

NOTE: This act indicates that there are groups who regularly download the leaks and list them after a while by launching a new website.

NOTE 2: If you want to read LockBit Imitators exclusively, I have already made a Research Article a couple of months back. You can check it out here.

LOCKBIT AFFILIATE?

While checking for the LockBit Affiliates on the Dark Web, it was found that a Russian member named “Hexonium” on a deep web forum claimed to be an affiliate of LockBit by providing the genuine Onion Domain of LockBit.

While checking the Forum activity and URL used, we can see that this member has been active since December 2023.

While navigating through the posts, we can see:-

Hexonium does not initiate/start any thread in the community and all (S)he does is interact with the breaches by posting “nigger” as a common term in all posts.

Hence we cannot rely on Hexonium as a genuine affiliate as we have seen many skids use LockBit aura to radiate the fear among the victims; especially when LockBit Black got leaked in September 2022.

NOTE: Hexonium is the name given to an In-Game Cryptocurrency, a project from Cardano. The image used by the forum user also signals the strong liking of Cardano platform by the user.

REALITY CHECK?

Here is the direct interaction with the LockBitSupp where he denies any involvement in other channels.

LEAK DATE EXTENSION: ADOPTION OF NEWER APPROACH

It is found that the group is delaying its leak from the already-set timer. This does not apply to all listed victims, however observed for a few.

Polycab is one such example where the initial leak date was April 5 but again got extended to April 22, 2024. Once the timer is set off, the data is not yet listed (ATTOW). It could have been lost during 1st batch of Operation Cronos Campaign.

Another well-known corp from India “RJCorp” is scheduled to release on April 15th, which is missing from the current list.

There are 2 possibilities for this.

Either the party had paid the ransom and their name got removed from the Data Leak Site

OR

It might be an empty threat of LockBit to inflate their victim count.

OPERATION CRONOS: PART 2

On the first week of May 2024, Europol posted the following update on the previously compromised website of LockBit:-

lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion

According to the post, the identity of LockBitSupp and other LockBit affiliates was revealed on May 7, 14:00 UTC.

As per the revelation, the identity of LockBitSupp is traced to a Russian National named “Dmitry Yuryevich Khoroshev”.

Following are the events that were observed after the LockBit Identity Reveal:-

1. Soon after this disclosure, many security researchers began to scoop up the details of the alleged member using email addresses and phone numbers shared.
2. 1 Hour after the Identity Reveal, LockBitSupp came up with the following status :-

The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins )))

3) After this status update, many in the industry started to co-relate this as a defensive approach of Khoroshev to unproven himself.

This may be true, but we never know at this moment.

4) The following day, on May 9th -> LockBit had added 77 new victims to their DLS domain. Some of the victims were re-appeared in the new batch. This could be to inflate the number of victims, hence delivering an overall impression of the high-number of single-batch infections.

5) LockBit also added a new message on DLS titled “contest.omg” where he challenged the community to communicate with Dmitry and provide evidence through their new portal.

6) The old sites (that are controlled by Feds) are being shut down now (which were active for 4 days).

LOCKBIT TOX STATUS UPDATES

Here are the important STATUS-UPDATES of LockBitSupp. Captured at different intervals:-

все на шашлындос
Everything is on the Barbeque
ФБР блефует, я не Демон, мне жаль настоящего Демона))) о, и он получит пизды за мои грехи)))
The FBI is bluffing, I m not Dimon, I feel sorry for the real Dimon ))) oh and he will get pussy for my sins )))
Придумайте как доказать, что я не Демон? Как показать всему миру что ФБР ошиблись или специально подставили Демона?
Can you figure out how to prove that I'm not a Demon? How can we show the whole world that the FBI made a mistake or deliberately framed a Demon?
участвуем в конкурсе, условия в блоге
We particiapte in the competition, conditions in the blog

CONCLUSION

When it comes to Takedowns: It is not as effective as claimed. As RaaS is a profitable business, this trend will continue. The arrest of a group paves the way for the comeback/birth of the next group with a more defensive approach.

In this case, it is not yet clear how Europol landed on Khoroshev. In short, no substantial evidence had been provided to establish an active link between Khoroshev and LockBit, but assumption of similar timelines.

At the same time, due to the secrecy of the operation, we can’t assure that Dmitry is NOT LockBitSupp.

We have to wait for a bit longer to unveil the truth as LockBitSupp has announced that it’s no more about money for them, but the victim count.

NOTE: This is a developing story and you can see the updates once I get it.

IOC

TOR DOMAINS
===========
lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion
lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion
lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion
lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion
lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion
lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion
lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion
lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion
lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion
lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion
lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion
lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion
lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion
lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion
lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion
lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion
lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion
lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion
lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion
lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion
lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion
lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion
lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion
lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion
lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion
lockbitfilzhrvt6eya2lvnp7te4iifzmwybendqclgujqbzu3k4gaid.onion
lockbitfilzu5e62fybhieutf6653cpv6wco7twgjtkqwdgubn4q5rad.onion
lockbitfile2tcudkcqqt2ve6btssyvqwlizbpv5vz337lslmhff2uad.onion
lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion
3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion
Old LockBit TOR Domains
=======================
lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion 
lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 
lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion 
lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion 
lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion 
lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 
lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion 
lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion 
lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion 
BTC Wallets
===========
bc1qdtawyte5qtxgrk6far90tpeh9atfvyqgv5rcxs
bc1qjwquf4n0j6tc55wg9zymkas2ue484ddxtl70wv
XMR: 48XyFEbDz4117SopGgaSjAaMK2uXqvnmq7W2wFXKUFPJNdTLFUvgKyx82jcRiWXBDv9ojbijGYyqz9edtrsgZG9NMHG7Xff
IP: 5.182.5.126
TOX: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7

EXTRA READING

If you are an avid reader of LockBit Story, here you can read few resources which I personally liked:-

https://krebsonsecurity.com/2024/05/how-did-authorities-identify-the-alleged-lockbit-boss/
https://analyst1.com/ransomware-diaries-volume-5-unmasking-lockbit-2/
https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! 😉

NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.