Ransomware

Lockbit Reborn? New Site Defies FBI Takedown

Lockbit Reborn? New Site Defies FBI Takedown

LockBit, a notorious ransomware group, faced a major setback as global law enforcement agencies, led by the FBI, executed a coordinated operation called Operation Cronos, to shut down the group’s operations. 

The crackdown saw multiple domains owned by LockBit seized, disabling access to their affiliate panel, a pivotal control center for orchestrating ransomware attacks. 

While further details of the operation remain undisclosed, this shutdown marks a significant blow to the ransomware landscape and highlights ongoing efforts to combat cybercrime and protect individuals and organizations from malicious threats.

The note on LockBit's site following its shutdown
The note on LockBit’s site following its shutdown

What happened to LockBit’s stolen databses?

When popular deep and dark web sites are seized, the cyber threat intelligence (CTI) community typically anticipates finding their stolen data on:

  1. Active databases on top hacking forums such as XSS and Exploit, which happened after Breachforums was closed in March 2023
  2. A new site with a new domain emerges hosting the same data that was seized

Is LockBit already back?

To answer this question, we used our dark web monitoring tool, Lunar, to search for any discussion related to an alternative for LockBit’s site. 

We did that by running a query containing keywords associated with LockBit alongside synonyms for the words “seized” and “alternative”. 

We then restricted the timeframe to a few days preceding the shutdown and applied dynamic filters to exclusively retrieve data from hacking forums and chat applications.

This quick investigation led us to a thread on the hacking forum Exploit, where a user mentioned a new site named Dispossessor. Remarkably similar to the original LockBit site, the majority of the posts hosted on Dispossessor are identical to the ones published on the old LockBit site.

A user mentions a site that looks like Lockbit’s site, the image was taken from Lunar
A user mentions a site that looks like Lockbit’s site, the image was taken from Lunar

In the next image, taken from Lunar, we can spot the first mentions of Dispossessor’s site in deep and dark web hacking forums on February 15, only days before LockBit’s site was seized.

The first mentions of Dispossessor's site in deep and dark web hacking forums, taken from Lunar
The first mentions of Dispossessor’s site in deep and dark web hacking forums, taken from Lunar

How similar is Dispossessor’s site to LockBit’s site?

There are several striking similarities between Lockbit and Disposessors despite differences in names and logos. 

Both share a similar site structure, colors, fonts, and sections, amounting to a very strong resemblance. Take a look at the images taken of their home pages:

Screenshot of the home page of the LockBit’s site before it was seized
Screenshot of the home page of the LockBit’s site before it was seized
Screenshot of the Dispossessor homepage
Screenshot of the Dispossessor homepage

Beyond structural similarities, Dispossessor exhibits remarkable content parallels with LockBit’s old site. 

Several posts originally found on LockBit are now mirrored on Dispossessor, with identical content and publication dates.

6
A screenshot of the same post from the two sites – this one is taken from the seized LockBit’s site
7
Screenshots for the same post from the two sites – this one is taken from Dispossessor

How to keep track of re-emerging LockBit sites?

After finalizing the query used to track any new indication for LockBit’s new site, we’ve established a high-priority alert within Lunar. This alert is designed to constantly monitor the deep and dark web for any emerging domains or sites associated with LockBit. Its frequency has been set to every 6 hours to ensure timely updates and vigilance.

We set an alert on Lunar to find new domains or new sites associated with LockBit
We set an alert on Lunar to find new domains or new sites associated with LockBit

Is Lockbit back?

The alert we set on Lunar, notified us via email about posts matching our LockBit query. Among the retrieved posts was an announcement made on a Telegram channel, by LockBit, about server restoration. This post included a link to the statement itself, where LockBit shared a list of multiple mirrors leading to their new site.

The post Lunar's alert showed indicating that LockBit has new Tor domains
The post Lunar’s alert showed indicating that LockBit has new Tor domains
Lockbit’s statement including the list of the new domain of the main blog, the image was taken from Lunar
LockBit’s statement including the list of the new domain of the main blog, the image was taken from Lunar

LockBit – what’s next?

The recent shutdown of LockBit’s site marks a significant milestone in the fight against ransomware attacks, given its status as a leading player in this domain. The re-emergence of their site shortly after it was shut down shows how elusive it is to monitor ransomware groups and sites.

As ransomware attacks and cyber threats, in general, continue to evolve, it is crucial to continue to proactively monitor these activities with dark web monitoring tools, such as Webz.io’s Lunar. Without them, companies will struggle to stay ahead of emerging risks and defend against potential attacks launched by groups like LockBit.

Spread the News

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Expose Hidden Risks to Your Domain

Uncover dark web threats with Lunar, the next gen dark web intel platform

Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
Create your API account and get instant access to millions of web sources