Lockbit Reborn? New Site Defies FBI Takedown

LockBit, a notorious ransomware group, faced a major setback as global law enforcement agencies, led by the FBI, executed a coordinated operation called Operation Cronos, to shut down the group’s operations. 

The crackdown saw multiple domains owned by LockBit seized, disabling access to their affiliate panel, a pivotal control center for orchestrating ransomware attacks. 

While further details of the operation remain undisclosed, this shutdown marks a significant blow to the ransomware landscape and highlights ongoing efforts to combat cybercrime and protect individuals and organizations from malicious threats.

What happened to LockBit’s stolen databses?

When popular deep and dark web sites are seized, the cyber threat intelligence (CTI) community typically anticipates finding their stolen data on:

1. Active databases on top hacking forums such as XSS and Exploit, which happened after Breachforums was closed in March 2023
2. A new site with a new domain emerges hosting the same data that was seized

Is LockBit already back?

To answer this question, we used our dark web monitoring tool, Lunar, to search for any discussion related to an alternative for LockBit’s site. 

We did that by running a query containing keywords associated with LockBit alongside synonyms for the words “seized” and “alternative”. 

We then restricted the timeframe to a few days preceding the shutdown and applied dynamic filters to exclusively retrieve data from hacking forums and chat applications.

This quick investigation led us to a thread on the hacking forum Exploit, where a user mentioned a new site named Dispossessor. Remarkably similar to the original LockBit site, the majority of the posts hosted on Dispossessor are identical to the ones published on the old LockBit site.

In the next image, taken from Lunar, we can spot the first mentions of Dispossessor’s site in deep and dark web hacking forums on February 15, only days before LockBit’s site was seized.

How similar is Dispossessor’s site to LockBit’s site?

There are several striking similarities between Lockbit and Disposessors despite differences in names and logos. 

Both share a similar site structure, colors, fonts, and sections, amounting to a very strong resemblance. Take a look at the images taken of their home pages:

Beyond structural similarities, Dispossessor exhibits remarkable content parallels with LockBit’s old site. 

Several posts originally found on LockBit are now mirrored on Dispossessor, with identical content and publication dates.

How to keep track of re-emerging LockBit sites?

After finalizing the query used to track any new indication for LockBit’s new site, we’ve established a high-priority alert within Lunar. This alert is designed to constantly monitor the deep and dark web for any emerging domains or sites associated with LockBit. Its frequency has been set to every 6 hours to ensure timely updates and vigilance.

Is Lockbit back?

The alert we set on Lunar, notified us via email about posts matching our LockBit query. Among the retrieved posts was an announcement made on a Telegram channel, by LockBit, about server restoration. This post included a link to the statement itself, where LockBit shared a list of multiple mirrors leading to their new site.

LockBit – what’s next?

The recent shutdown of LockBit’s site marks a significant milestone in the fight against ransomware attacks, given its status as a leading player in this domain. The re-emergence of their site shortly after it was shut down shows how elusive it is to monitor ransomware groups and sites.

As ransomware attacks and cyber threats, in general, continue to evolve, it is crucial to continue to proactively monitor these activities with dark web monitoring tools, such as Webz.io’s Lunar. Without them, companies will struggle to stay ahead of emerging risks and defend against potential attacks launched by groups like LockBit.