{
	"id": "154d0ac3-3723-494c-877b-028fc4ef5566",
	"created_at": "2026-04-06T00:12:44.699539Z",
	"updated_at": "2026-04-10T03:26:47.04721Z",
	"deleted_at": null,
	"sha1_hash": "f1c9e4ca4836c9529671206c5712f7f09fe4fe91",
	"title": "LockBit ransomware returns, restores servers after police disruption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2632706,
	"plain_text": "LockBit ransomware returns, restores servers after police disruption\r\nBy Ionut Ilascu\r\nPublished: 2024-02-25 · Archived: 2026-04-05 18:34:24 UTC\r\nThe LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement\r\nhacked their servers, and is threatening to focus more of their attacks on the government sector.\r\nIn a message under a mock-up FBI leak - specifically to draw attention, the gang published a lengthy message about their\r\nnegligence enabling the breach and the plans for the operation going forward.\r\nLockBit ransomware continues attacks\r\nOn February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and\r\nits mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFive days later, LockBit is back and provides details about the breach and how they’re going to run the business to make\r\ntheir infrastructure more difficult to hack.\r\nImmediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that\r\nbackup systems without PHP were untouched.\r\nOn Saturday, LockBit announced it was resuming the ransomware business and released damage control communication\r\nadmitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos.\r\nThe gang kept the brand name and moved its data leak site to a new .onion address that lists five victims with countdown\r\ntimers for publishing stolen information.\r\nSome of the organizations on LockBit's \"leaked data\" page appear to be victims of previously known attacks. \r\nRelaunched LockBit data leak site shows five victims\r\nsource: BleepingComputer\r\nOutdated PHP server\r\nLockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5\r\nyears of swimming in money I became very lazy.”\r\n“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.” The threat actor says that the\r\nvictim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical\r\nvulnerability tracked as CVE-2023-3824.\r\nLockBit says they updated the PHP server and announced that they would reward anyone who finds a vulnerability in the\r\nlatest version.\r\nSpeculating on the reason “the FBI” hacked their infrastructure, the cybercriminal says that it was because of\r\nthe ransomware attack on Fulton County in January, which posed the risk of leaking information with “a lot of interesting\r\nthings and Donald Trump's court cases that could affect the upcoming US election.”\r\nThis led LockBit to believe that by attacking “the .gov sector more often” they will force “the FBI” to show if it has the\r\nability to attack the gang.\r\nThe threat actor says that law enforcement “obtained a database, web panel sources, locker stubs that are not source as they\r\nclaim and a small portion of unprotected decryptors.”\r\nDecentralized affiliate panels\r\nDuring Operation Cronos, authorities collected more than 1,000 decryption keys. LockBit claims that the police obtained the\r\nkeys from “unprotected decryptors” and that on the server there were almost 20,000 decryptors, about half of the\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/\r\nPage 3 of 4\n\napproximately 40,000 generated over the entire life of the operation.\r\nThe threat actor defines “unprotected decryptors” as builds of the file-encrypting malware that did not have the “maximum\r\ndecryption protection” feature enabled, typically used by low-level affiliates that take smaller ransoms of just $2,000.\r\nLockBit plans to upgrade security for its infrastructure and switch to manually releasing decryptors and trial file decryptions,\r\nas well as host the affiliate panel on multiple servers and provide its partners with access to different copies based on the\r\ntrust level.\r\n“Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum\r\nprotection of decryptors for each company, the chance of hacking will be significantly reduced” - LockBit\r\nThe long message from LockBit looks like damage control and an attempt to restore credibility for a tainted reputation.\r\nThe gang took a heavy blow and even if it managed to restore the servers affiliates have a good reason to be distrustful.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-restores-servers-after-police-disruption/"
	],
	"report_names": [
		"lockbit-ransomware-returns-restores-servers-after-police-disruption"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434364,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1c9e4ca4836c9529671206c5712f7f09fe4fe91.pdf",
		"text": "https://archive.orkl.eu/f1c9e4ca4836c9529671206c5712f7f09fe4fe91.txt",
		"img": "https://archive.orkl.eu/f1c9e4ca4836c9529671206c5712f7f09fe4fe91.jpg"
	}
}