Cybercrime cops still celebrating the takedown of LockBit should put the champagne back on ice because the Russia-linked hackers have re-emerged â and declared support for Donald Trump.
Often described as the âworldâs most active ransomware group,â LockBit was disrupted last Tuesday by an international coalition of law enforcement agencies.
According to Europol, the task force infiltrated the gangâs âprimary platform and critical infrastructure.â Members of LockBit were also arrested and charged. Britainâs National Crime Agency said the sting had compromised âtheir entire criminal enterprise.â
But less than a week later, LockBit has reemerged on the Dark Web. On a new site, the gang shared an apparent list of corporate victims, an explanation for the takedown, and that dubious endorsement of Trump.
In a lengthy message posted on Monday, the groupâs presumptive leader blamed their âpersonal negligence and irresponsibilityâ for the takedown.
They also said the bust was triggered by the recent theft of data from government systems in Fulton County, Georgia.
âThe stolen documents contain a lot of interesting things and Donald Trumpâs court cases that could affect the upcoming US election,â the message claimed.
Then came the suspicious political declaration.
âPersonally I will vote for Trump,â they said.
Cybersecurity experts, however, doubt that LockBitâs leader is a US citizen. Nonetheless, theyâre extremely concerned about the groupâs return.
Whatâs next for LockBit?
Analysts have spotted clear signs of LockBit resuming operations.
Tim Geschwindt, a senior associate on the cyber incident response team at security consultancy S-RM, said the hackers recovered their infrastructure over the weekend. To this, they used backup servers that werenât compromised during last weekâs takedown.
With the gang again open for business, LockBit affiliates are now returning to work. Several new incidents have been reported over the last 24-48 hours, Geschwindt said, while fresh victims are appearing on new sites.
âWe expect LockBit are likely to return to pre-takedown levels of attack volume; however, it may take several weeks before they iron out issues with the new infrastructure, and ramp up their activity,â Geschwindt told TNW.
âUltimately, despite several large takedowns in 2023 and early 2024, we have not seen a major dent in the number of global ransomware attacks or ransom payments.â