Grupo de ransomaware LockBit conocido por el alto grado de profesionalización de sus miembros y su estructura interna, parecía quedar así desarticulada. Su caída daba a su vez una ventana a las miles de víctimas de la organización en todo el mundo, ya que las fuerzas de seguridad consiguieron hacerse con un considerable número de códigos para descifrar los archivos secuestrados por los que esperaban cobrar un rescate.

 

 

LockBit cumple su amenaza: “el grupo cibercriminal más dañino del mundo” vuelve a actuar y dice apoyar a Trump

“Hemos tomado el control de su infraestructura, confiscado su código fuente y obtenido claves que ayudarán a las víctimas a descifrar sus sistemas”, aseveraba el jefe de la operación internacional, en la que también participaron Francia, Japón, Suiza, Canadá, Australia, Suecia, Países Bajos, Finlandia y Alemania. “A día de hoy, LockBit está bloqueado”. 

 

Sin embargo, apenas unas horas después el propio grupo de cibercrimen organizado ponía toda la operación en duda. Una serie de mensajes en su grupo oficial de Telegram avisaba que los daños a sus archivos habían sido mínimos y que volverían a la actividad muy pronto.

Los ciberdelincuentes han cumplido su amenaza en la madrugada de este domingo. Un nuevo portal oficial en la web oscura anuncia nuevas víctimas y las emplaza a negociar los rescates por sus archivos. Además, anuncian su apoyo a Donald Trump y aseguran que la operación del FBI contra ellos es una respuesta al robo de información confidencial sobre sus procesos legales.

“Los documentos robados contienen cosas interesantes sobre los casos judiciales de Donald Trump que podrían afectar las próximas elecciones en EEUU”, afirma LockBit. “La situación en la frontera con México es una pesadilla. Biden debería retirarse, es un títere. Si no fuera por el ataque del FBI, los documentos se habrían publicado el mismo día”, continúan en un extenso comunicado.

La organización también se burla de la operación contra ellos y reta a las fuerzas de seguridad a demostrar que su ataque fue realmente exitoso. “Afirman tener 1.000 códigos de descifrado, aunque había casi 20.000 descifradores en el servidor, la mayoría de los cuales estaban protegidos y no pueden ser utilizados por el FBI”, manifiestan. 

El ransomware LockBit continúa atacando

El sábado, LockBit anunció que estaba reanudando el negocio de ransomware y publicó un comunicado de control de daños en el que admitía que la «negligencia personal y la irresponsabilidad» llevaron a las fuerzas del orden a interrumpir su actividad en la Operación Cronos.

La pandilla mantuvo el nombre de la marca y trasladó su sitio de filtración de datos a una nueva dirección .onion que enumera a cinco víctimas con temporizadores de cuenta regresiva por publicar información robada.

El 19 de febrero, las autoridades desmantelaron la infraestructura de LockBit, que incluía 34 servidores que alojaban el sitio web de fuga de datos y sus espejos, datos robados a las víctimas, direcciones de criptomonedas, claves de descifrado y el panel de afiliados.

Inmediatamente después del derribo, la banda confirmó la violación diciendo que solo perdieron los servidores que ejecutaban PHP y que los sistemas de copia de seguridad sin PHP no se tocaron.

Cinco días después, LockBit está de vuelta y proporciona detalles sobre la brecha y cómo van a administrar el negocio para hacer que su infraestructura sea más difícil de piratear.

Servidor PHP desactualizado

LockBit dice que las fuerzas del orden, a las que se refieren colectivamente como el FBI, violaron dos servidores principales «porque durante 5 años de nadar en dinero me volví muy perezoso».

«Debido a mi negligencia personal e irresponsabilidad, me relajé y no actualicé PHP a tiempo.» El actor de amenazas dice que el servidor de los paneles de chat y administración de la víctima y el servidor de blogs ejecutaban PHP 8.1.2 y probablemente fueron pirateados utilizando una vulnerabilidad crítica rastreada como CVE-2023-3824.

LockBit dice que actualizaron el servidor PHP y anunciaron que recompensarían a cualquiera que encuentre una vulnerabilidad en la última versión.

Especulando sobre la razón por la que «el FBI» hackeó su infraestructura, el ciberdelincuente dice que fue por el ataque de ransomware en el condado de Fulton en enero, que planteó el riesgo de filtrar información con «muchas cosas interesantes y los casos judiciales de Donald Trump que podrían afectar las próximas elecciones estadounidenses».

Esto llevó a LockBit a creer que al atacar «el sector .gov más a menudo» obligarían al «FBI» a demostrar si tiene la capacidad de atacar a la pandilla.

El actor de amenazas dice que las fuerzas del orden «obtuvieron una base de datos, fuentes de paneles web, talones de casilleros que no son fuente como afirman y una pequeña parte de descifradores desprotegidos».

Paneles de afiliados descentralizados

Durante la Operación Cronos, las autoridades recogieron más de 1.000 claves de descifrado. LockBit afirma que la policía obtuvo las claves de «descifradores desprotegidos» y que en el servidor había casi 20.000 descifradores, aproximadamente la mitad de los aproximadamente 40.000 generados durante toda la vida útil de la operación.

El actor de amenazas define los «descifradores desprotegidos» como compilaciones del malware de cifrado de archivos que no tenían habilitada la función de «máxima protección de descifrado», generalmente utilizada por afiliados de bajo nivel que aceptan rescates más pequeños de solo $ 2,000.

LockBit planea mejorar la seguridad de su infraestructura y pasar a liberar manualmente descifradores y descifrar archivos de prueba, así como alojar el panel de afiliados en varios servidores y proporcionar a sus socios acceso a diferentes copias según el nivel de confianza.

El largo mensaje de LockBit parece un control de daños y un intento de restaurar la credibilidad de una reputación manchada.

La pandilla recibió un duro golpe e incluso si logró restaurar los servidores, los afiliados tienen una buena razón para desconfiar.

El comunicado:

What happened.

On February 19, 2024 penetration testing of two of my servers took place, at 06:39 UTC I found an error on the site 502 Bad Gateway, restarted nginx - nothing changed, restarted mysql - nothing changed, restarted PHP - the site worked. I didn't pay much attention to it, because for 5 years of swimming in money I became very lazy, and continued to ride on a yacht with titsy girls. At 20:47 I found that the site gives a new error 404 Not Found nginx, tried to enter the server through SSH and could not, the password did not fit, as it turned out later all the information on the disks was erased.

Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time, the servers had PHP 8.1.2 version installed, which was successfully penetration tested most likely by this CVE https://www.cvedetails.com/cve/CVE-2023-3824/ , as a result of which access was gained to the two main servers where this version of PHP was installed.  I realize that it may not have been this CVE, but something else like 0day for PHP, but I can't be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims' admin and chat panel servers and the blog server were accessed. The new servers are now running the latest version of PHP 8.3.3. If anyone recognizes a CVE for this version, be the first to let me know and you will be rewarded.

The problem doesn't just affect me. Anyone who has used a vulnerable version of PHP keep in mind that your server may have been compromised, I'm sure many competitors may have been hacked in the same way, but they didn't even realize how it happened. I'm sure the forums I know are also hacked in the same way via PHP, there are good reasons to be sure, not only because of my hack but also because of information from whistleblowers. I noticed the PHP problem by accident, and I'm the only one with a decentralized infrastructure with different servers, so I was able to quickly figure out how the attack happened, if I didn't have backup servers that didn't have PHP on them, I probably wouldn't have figured out how the hack happened.

The FBI decided to hack now for one reason only, because they didn't want to leak information from https://fultoncountyga.gov/ the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election. Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet. If it wasn't for the FBI attack, the documents would have been released the same day, because the negotiations stalled, right after the partner posted the press release to the blog, the FBI really didn't like the public finding out the true reasons for the failure of all the systems of this city. Had it not been for the election situation, the FBI would have continued to sit on my server waiting for any leads to arrest me and my associates, but all you need to do to not get caught is just quality cryptocurrency laundering. The FBI can sit on your resources and also collect information useful for the FBI, but do not show the whole world that you are hacked, because you do not cause any critical damage, you bring only benefit. What conclusions can be drawn from this situation? Very simple, that I need to attack the .gov sector more often and more, it is after such attacks that the FBI will be forced to show me weaknesses and vulnerabilities and make me stronger. By attacking the .gov sector you can know exactly if the FBI has the ability to attack us or not.

Even if you updated your PHP version after reading this information, it will not be enough, because you have to change the hoster, server, all possible passwords, user passwords in the database, audit the source code and migrate everything, there is no guarantee that you have not been hardened on the server. There is no guarantee that the FBI does not have 0day for your servers about which they have already learned enough information to re-hack, so only a complete change of everything that can only be replaced will help.

All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies.

As a result of hacking the servers, the FBI obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors, they claim 1000 decryptors, although there were almost 20000 decryptors on the server, most of which were protected and cannot be used by the FBI. Thanks to the database they found out the generated nicknames of the partners, which have nothing to do with their real nicknames on forums and even nicknames in messengers, not deleted chats with the attacked companies and accordingly wallets for money, which will be investigated and searched for all those who do not launder crypto, and possibly arrest people involved in laundering and accuse them of being my partners, although they are not. All of this information has no value because it is all passed to the FBI and without hacking the panel, after every transaction by insurance agents or negotiators.

The only thing that is of value and potential threat is the source code of the panel, because of it is probably possible future hacks if you let everyone into the panel, but now the panel will be divided into many servers, for verified partners and for random people, up to 1 copy of the panel for 1 partner on a separate server, before there was one panel for everyone. Due to the separation of the panel and greater decentralization, the absence of trial decrypts in automatic mode, maximum protection of decryptors for each company, the chance of hacking will be significantly reduced. Leak of the panel source code was also happening at competitors, it didn't stop them from continuing their work, it won't stop me either.

The FBI says they received about 1000 decryptors, a nice figure, but it doesn't look like the truth, yes they received some unprotected decryptors, those builds of the locker that were made without the "maximum decryptor protection" checkbox could only be received by the FBI in the last 30 days, it's not known on what day the FBI got access to the server, but we know exactly the date of CVE disclosure and the date when PHP generated an error, before Feb 19th the attacked companies were regularly paying even for unprotected decryptors, so there is a chance the FBI were only on the server for 1 day, it would be nice if the FBI released all the decryptors to the public, then you could trust them that they really own the decryptors, not bluffing and praising their superiority, not the superiority of 1 smart pentester with a public CVE. Note that the vast majority of unprotected decryptors are from partners who encrypt brute force dedicas and spam single computers, taking $2000 ransoms, i.e. even if the FBI has 1000 decryptors, they are of little use, the main thing is that they didn't get all the decryptors for the entire 5 years of operation, which number is about 40000. It turns out that the FBI were only able to get hold of 2.5% of the total number of decryptors, yes it's bad, but it's not fatal.

- From this significant moment, when the FBI cheered me up, I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free.

Probably, everyone has already noticed how beautifully the FBI has changed the design of the blog, no one has ever been given such honors, usually everyone just put the usual plug with the praise of all the special services of the world. Although in fact only one person from all over the planet deserves praise, the one who pentest my site and picked up the right public CVE, I wonder how much he was paid, how much was his bonus? If less than a million dollars, then come work for me, you'll probably make more with me.  Or just come talk to me at tox XXXXXXXXXX remember that I always have an active bug bounty program and I pay money for bugs found. FBI doesn't appreciate your talents, but I do and am willing to pay generously.

I wonder why the alpha, revil, hive blogs were not designed so nicely? Why weren't their deanons published? Even though the FBI knows their identities? Strange isn't it? Because with such stupid methods FBI is trying to intimidate me and make me stop working. The FBI designer should work for me, you have good taste, I especially liked the new preloader, in the new update I should do something similar, USA, UK and Europe revolve around my logo, brilliant idea, right there made me feel very good, thanks.

A couple of my partners were arrested, to be honest I doubt that very much, they are probably just people who are laundering cryptocurrencies, maybe they were working for some mixers and exchangers with drops, that's why they were arrested and considered my partners, it would be interesting to see the video of the arrest, where at their homes, Lamborghinis and laptops with evidence of their involvement in our activities, but I somehow think we will not see it, because the FBI arrested random people to get a certificate of merit from the management, say look there are arrests, we are not getting money for nothing, we are honestly working off taxes and imprisoning random people, when real pentesters quietly continue their work. Basssterlord is not caught, I know Basssterlord's real name, and it's different than the poor guy the FBI caught.

I don't know any military journalist from Sevastopol Colonel Cassad, and I never donated to anyone, it would be nice if the FBI showed the transaction so I could check on the blockchain where they drew such conclusions from and why they claim it was me who did it, I never do any transaction without a bitcoin mixer.

If I may have used the same cryptocurrency exchange service that someone from Evil Corp used it absolutely does not mean I have anything to do with Evil Corp, again where are the transactions? How do I know who is using which exchanger? I use different exchangers and I don't concentrate all my money on one cryptocurrency exchanger. Let's blame the hundreds of other people who use publicly available exchanges on Evil Corp.
I really dislike that all such throw-ins are made without publishing transactions and wallets, thus it is impossible to verify what is true. You can accuse me of anything without proving anything, and there is no way I can refute it, because there are no transactions and bitcoin wallets.

The FBI states that my income is over 100 million dollars, this is true, I am very happy that I deleted chats with very large payouts, now I will delete more often and small payouts too. These numbers show that I am on the right track, that even if I make mistakes it doesn't stop me and I correct my mistakes and keep making money. This shows that no hack from the FBI can stop a business from thriving, because what doesn't kill me makes me stronger.

All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.

I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete. With competitors who will make more money and attack more companies, and with the FBI whether they can catch me or not, and I'm sure they can't, looking at the way they work.

The FBI promised to publish my deanon but they didn't fulfill their promise, these people dare to lie about me supposedly not deleting stolen information of companies after paying the ransom, clowning around. It turns out that the FBI officially recognized themselves as liars and they lie very often, as my familiar lawyers Arkady Buch, Dmitry Naskavets and Victor Smilyanets stated, now I believe them 100%. They made a foolish attempt to discredit me by claiming that I work for the FBI, a man who encrypts US companies every day and makes hundreds of millions of dollars does it with the approval of the FBI? Is that how it works? Very clever.

You're thinking, why would I work for hundreds of millions of dollars? And I will answer that I am just bored, I love my work, it brings me joy from life, money and luxury do not bring such joy as my work, that's why I am ready to risk my life for the sake of my work, that's how bright, rich and dangerous life should be in my opinion.

*when I write the word FBI I mean not only FBI, but also all their assistants, who know how to arrest servers of partners, which act as the first lining after stealing data from the attacked company and do not represent any value: South West Regional Organized Crime Unit in the U.K., Metropolitan Police Service in the U.K., Europol, Gendarmerie-C3N in France, the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany, Fedpol and Zurich Cantonal Police in Switzerland, the National Police Agency in Japan, the Australian Federal Police in Australia, the Swedish Police Authority in Sweden, the National Bureau of Investigation in Finland, the Royal Canadian Mounted Police in Canada, and the National Police in the Netherlands. So please don't take offense, I haven't forgotten about you, you were also very helpful in this operation. But let me remind you that personally I think the only person who deserves an award and an honorable mention is the person who found a suitable public PHP CVE for my servers, I'm assuming it's someone from Prodaft.

 

 

 Fuentes:

https://www.eldiario.es/tecnologia/lockbit-cumple-amenaza-grupo-cibercriminal-danino-mundo-vuelve-actuar-dice-apoyar-trump_1_10956278.html