{ "id": "20581692-255d-4c6b-80d7-3b45b4b078df", "created_at": "2026-04-06T00:19:37.717492Z", "updated_at": "2026-04-10T13:12:04.385033Z", "deleted_at": null, "sha1_hash": "9bfe2727bad29891aba48a8ae4626537ead49824", "title": "LockBit ransomware returns to attacks with new encryptors, servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4686654, "plain_text": "LockBit ransomware returns to attacks with new encryptors, servers\r\nBy Lawrence Abrams\r\nPublished: 2024-02-28 · Archived: 2026-04-06 00:05:16 UTC\r\nThe LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new\r\nservers after last week's law enforcement disruption.\r\nLast week, the NCA, FBI, and Europol conducted a coordinated disruption called 'Operation Cronos' against the LockBit\r\nransomware operation.\r\nAs part of this operation, law enforcement seized infrastructure, retrieved decryptors, and, in an embarrassing moment for\r\nLockBit, converted the ransomware gang's data leak site into a police press portal.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nLockBit data leak site converted into a press site\r\nSource: BleepingComputer\r\nSoon after, LockBit set up a new data leak site and left a long note addressed to the FBI, claiming law enforcement breached\r\ntheir servers using a PHP bug.\r\nHowever, instead of rebranding, they promised to return with updated infrastructure and new security mechanisms to\r\nprevent law enforcement from performing operation-wide attacks and gaining access to decryptors.\r\nUpdated LockBit encryptors used in attacks\r\nAs of yesterday, LockBit appears to be conducting attacks again, with new encryptors and infrastructure setup for data leak\r\nand negotiation sites.\r\nAs first reported by Zscaler, the ransomware gang updated their encryptor's ransom notes with Tor URLs for the gang's new\r\ninfrastructure. BleepingComputer later found samples of the encryptors uploaded to VirusTotal yesterday [Sample] (shared\r\nby MalwareHunterTeam) and today [Sample], containing the updated ransom notes.\r\nBleepingComputer also confirmed that the operation's negotiation servers are live again but only work for victims of new\r\nattacks.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nPage 3 of 5\n\nNew LockBit negotiation sites\r\nSource: BleepingComputer\r\nAt the time of LockBit's takedown, the ransomware operation had approximately 180 affiliates working with them to\r\nconduct attacks.\r\nIt is not known how many are still working with the Ransomware-as-a-Service, as one has publicly lashed out at the\r\noperation on X.\r\nHowever, LockBit states that they are now actively recruiting experienced pentesters to join their operation again, which\r\nwill likely lead to increased attacks in the future.\r\nWhether this is a grand plan for LockBit to slowly fade away and rebrand as we saw with Conti remains to be seen. For now,\r\nthough, it is safer to assume that LockBit continues to be a threat.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers/" ], "report_names": [ "lockbit-ransomware-returns-to-attacks-with-new-encryptors-servers" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434777, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9bfe2727bad29891aba48a8ae4626537ead49824.pdf", "text": "https://archive.orkl.eu/9bfe2727bad29891aba48a8ae4626537ead49824.txt", "img": "https://archive.orkl.eu/9bfe2727bad29891aba48a8ae4626537ead49824.jpg" } }