www.theregister.com
Open in
urlscan Pro
104.18.5.22
Public Scan
URL:
https://www.theregister.com/2024/02/21/lockbit_leaks/
Submission: On February 22 via api from TR — Scanned from DE
Submission: On February 22 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST /CBW/custom
<form id="RegCTBWFAC" action="/CBW/custom" class="show_regcf_custom" method="POST">
<h5>Manage Cookie Preferences</h5>
<ul>
<li>
<label>
<input type="checkbox" disabled="disabled" checked="checked" name="necessary" value="necessary">
<strong>Necessary</strong>. <strong>Always active</strong>
</label>
<label for="accordion_necessary" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_necessary">
<p class="accordion_info"> These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="tailored_ads" value="tailored_ads">
<strong>Tailored Advertising</strong>. </label>
<label for="accordion_advertising_tailored_ads" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg"
class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_advertising_tailored_ads">
<p class="accordion_info"> These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers,
and in some cases selecting advertisements that are based on your interests. </p>
</div>
</li>
<li>
<label>
<input type="checkbox" name="analytics" value="analytics">
<strong>Analytics</strong>. </label>
<label for="accordion_analytics" class="accordion_toggler">Read more<img width="7" height="10" alt="" src="/design_picker/d2e337b97204af4aa34dda04c4e5d56d954b216f/graphics/icon/arrow_down_grey.svg" class="accordion_arrow"></label>
<div class="accordion">
<input type="checkbox" id="accordion_analytics">
<p class="accordion_info"> These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our
sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. </p>
</div>
</li>
</ul> See also our <a href="https://www.theregister.com/Profile/cookies/">Cookie policy</a> and <a href="https://www.theregister.com/Profile/privacy/">Privacy policy</a>. <input type="submit" value="Accept Selected" class="reg_btn_primary"
name="accept" id="RegCTBWFBAC">
</form>POST /CBW/all
<form id="RegCTBWFAA" action="/CBW/all" method="POST" class="hide_regcf_custom">
<input type="submit" value="Accept All Cookies" name="accept" class="reg_btn_primary" id="RegCTBWFBAA">
</form>Text Content
Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”. REVIEW AND MANAGE YOUR CONSENT Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer. MANAGE COOKIE PREFERENCES * Necessary. Always active Read more These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect. * Tailored Advertising. Read more These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests. * Analytics. Read more These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance. See also our Cookie policy and Privacy policy. Customize Settings Sign in / up TOPICS Security SECURITY All SecurityCyber-crimePatchesResearchCSO (X) Off-Prem OFF-PREM All Off-PremEdge + IoTChannelPaaS + IaaSSaaS (X) On-Prem ON-PREM All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector (X) Software SOFTWARE All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization (X) Offbeat OFFBEAT All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us (X) Special Features SPECIAL FEATURES All Special Features Cloud Infrastructure Week Cybersecurity Month Blackhat and DEF CON Sysadmin Month The Reg in Space Emerging Clean Energy Tech Week Spotlight on RSA Energy Efficient Datacenters VENDOR VOICE Vendor Voice VENDOR VOICE All Vendor Voice Amazon Web Services (AWS) Business Transformation DDN Google Cloud Infrastructure Hewlett Packard Enterprise: AI & ML solutions Hewlett Packard Enterprise: Edge-to-Cloud Platform Intel vPro VMware (X) Resources RESOURCES Whitepapers Webinars & Events Newsletters CYBER-CRIME 11 LOCKBIT LEAKS EXPOSE NEARLY 200 AFFILIATES AND BESPOKE DATA-STEALING MALWARE 11 OPERATION CRONOS'S 'PARTNERS' CONTINUE TO TRICKLE THE CRIMINAL EMPIRE'S SECRETS Connor Jones Wed 21 Feb 2024 // 14:07 UTC The latest revelation from law enforcement authorities in relation to this week's LockBit leaks is that the ransomware group had registered nearly 200 "affiliates" over the past two years. Affiliates are those people who buy into the gang's ransomware-as-a-service model, and happily use LockBit's wares in exchange for a cut of the loot from the extorted victims. New information about the group is being disseminated daily by the National Crime Agency (NCA), which has control of LockBit's site and transformed it yesterday, announcing the successful takedown of the world's leading ransomware gang. Today's LockBit leak led to the sharing of information from inside the group's affiliate portal, showing 187 different affiliates registered between January 31, 2022, and February 5, 2024. List of LockBit 3.0 affiliates published by the NCA The FBI first started investigating LockBit in 2020, and the group has since developed new variants of its ransomware, the latest of which was released in mid-2022, so the data shared today likely shows all the affiliates that have ever deployed the most recent version of LockBit. The data that's been gathered by compromising LockBit's backend will be used to investigate those involved in the deployment of the ransomware and paid money to be a part of the LockBit affiliate program. "A large amount of data has been exfiltrated from LockBit's platform before it was all corrupted," reads LockBit's website, which is now under the control of the NCA. "With this data, the NCA and partners will be coordinating further enquiries to identify the hackers who pay to be a LockBit affiliate. Some basic details published here for the first time." When covering the story yesterday, we likened the transformation of LockBit's site into what is essentially a troll page to the NCA showing the middle finger to the criminals – a finger it further extended today. Not only did the authorities expose the aliases of LockBit's affiliates, but they also defaced the affiliate portal with a message directed to them all, seen after logging in. "Hello [user name], Law Enforcement has taken control of LockBit's platform and obtained all the information held on there. This information relates to the LockBit group and you, their affiliate. We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more. You can thank Lockbitsupp and their flawed infrastructure for this situation… we may be in touch with you very soon. If you would like to contact us directly, please get in touch. In the meantime, we would encourage you to visit the LockBit leaksite. Have a nice day. Regards, The National Crime Agency of the UK, the FBI, Europol, and the Operation Cronos Law Enforcement Task Force." The UK, US, France, Germany, Switzerland, Australia, Finland, and the Netherlands were all involved in the multinational efforts to bring down the affiliate infrastructure, the website states. "These servers enabled both the initial cyberattacks by affiliates and supported the stealing of victim data and processing to 'StealBit' servers." STEALBIT'S DEMISE Details of StealBit – the LockBit operation's bespoke data exfiltration tool offered to affiliates – were teased in yesterday's announcement and published today as the second major revelation. Much has been said over the years about LockBit's various ransomware payloads and its double extortion model, but StealBit is the lesser-known malware that was first deployed with LockBit 2.0 attacks dating back to 2021. The NCA published its analysis of StealBit today, highlighting the importance of the tool in LockBit attacks and for the affiliates that deploy it. * Cops turn LockBit ransomware gang's countdown timers against them * LockBit ransomware gang disrupted by global operation * Infosys subsidiary named as source of Bank of America data leak * LockBit shows no remorse for ransomware attack on children's hospital The data is stolen from victims by the affiliates before the ransomware payload is dropped, and before organizations are locked out of their systems, using StealBit, which is password-protected. Once the exfiltration tool is deployed, it allows affiliates to select files from a specific folder or the entire computer, the authorities said. The selected files are then sent back to LockBit via one of six proxy servers using a WebDAV header, which contains a new file name 33 characters long, beginning with a 0 or 1, the file path, computer name, and unique identifier. The unique identifier is what allows affiliates to be attributed for each data theft and is what LockBit leadership uses to see who should be paid for any given job. If StealBit can't connect to its hardcoded IP address used for sending the stolen data back to HQ, it will shut down and uninstall itself to evade detection. The most common method of exfiltrating data is to run the data through the affiliate's own infrastructure before StealBit's, which authorities say is to prevent incident responders from locating the malware's servers. Diagram of the two methods used by affiliates to steal victim's data using the StealBit malware In a final warning to LockBit sympathizers, the NCA said that all six of StealBit's proxy servers have been located and "destroyed" and that anyone "misguided enough" to try to bring them back online would be located. "StealBit is an example of LockBit's attempt to offer a full 'one-stop shop' service to its affiliates, encryption, exfiltration, negotiation, publishing," the seized website reads. "In essence, we have fully analyzed and understand how this malware and its associated infrastructure operates. We have located and destroyed the servers, and can locate them again should anyone be misguided enough to attempt its use." ® Get our Tech Resources Share MORE ABOUT * Cybercrime * Ransomware More like these × MORE ABOUT * Cybercrime * Ransomware NARROWER TOPICS * NCSC * REvil * Wannacry BROADER TOPICS * Security MORE ABOUT Share 11 COMMENTS MORE ABOUT * Cybercrime * Ransomware More like these × MORE ABOUT * Cybercrime * Ransomware NARROWER TOPICS * NCSC * REvil * Wannacry BROADER TOPICS * Security TIP US OFF Send us news -------------------------------------------------------------------------------- OTHER STORIES YOU MIGHT LIKE INTERPOL'S LATEST CYBERCRIME INTERVENTION DISMANTLES RANSOMWARE, BANKING MALWARE SERVERS Efforts part of internationally coordinated operations carried out in recent months Cyber-crime20 days | 2 COPS TURN LOCKBIT RANSOMWARE GANG'S COUNTDOWN TIMERS AGAINST THEM Authorities dismantle cybercrime royalty by making mockery of their leak site Cyber-crime1 day | 17 ROMANIAN HOSPITAL RANSOMWARE CRISIS ATTRIBUTED TO THIRD-PARTY BREACH Emergency impacting more than 100 facilities appears to be caused by incident at software provider Cyber-crime7 days | 1 EMPLOYING YOUR CLOUD DATA WAREHOUSE TO SCALE UP AI/ML AI can unlock the power of enterprise data, providing companies can get it to the right place in the right state Sponsored Feature ALPHV GANG CLAIMS IT'S THE ATTACKER THAT BROKE INTO PRUDENTIAL FINANCIAL, LOANDEPOT Ransomware group continues to exploit US regulatory requirements to its advantage Cyber-crime3 days | JET ENGINE DEALER TO MAJOR AIRLINES DISCLOSES 'UNAUTHORIZED ACTIVITY' Pulls part of system offline as Black Basta docs suggest the worst Cyber-crime9 days | 6 NEW KIDS ON THE RANSOMWARE BLOCK IN 2023: AKIRA AND 8BASE LEAD DOZENS OF NEWBIES How good are your takedowns when fresh gangs are linked to previous ops, though? Research16 days | 1 UNCLE SAM SWEETENS THE POT WITH $15M BOUNTY ON HIVE RANSOMWARE GANG MEMBERS Honor among thieves about to be put to the test Cyber-crime13 days | 3 LOCKBIT RANSOMWARE GANG DISRUPTED BY GLOBAL OPERATION Updated Website has been seized and replaced with law enforcement logos from eleven nations Security2 days | 12 ALPHV BLACKMAILS CANADIAN PIPELINE AFTER 'STEALING 190GB OF VITAL INFO' Updated Gang still going after critical infrastructure because it's, you know, critical Cyber-crime8 days | 11 INFOSYS SUBSIDIARY NAMED AS SOURCE OF BANK OF AMERICA DATA LEAK Looks like LockBit took a swipe at an outsourced life insurance application Cyber-crime9 days | 15 EQUILEND BACK IN THE SADDLE AS RANSOM PAYMENT RUMORS SWIRL Still no word on how the intruders broke in or the full extent of any possible data compromise Cyber-crime15 days | The Register Biting the hand that feeds IT ABOUT US * Contact us * Advertise with us * Who we are OUR WEBSITES * The Next Platform * DevClass * Blocks and Files YOUR PRIVACY * Cookies Policy * Your Consent Options * Privacy Policy * T's & C's Copyright. All rights reserved © 1998–2024