LockBit repopulates leak site with old violations


The impact of Operation Cronos continues to hamper the LockBit ransomware group’s operations and the gang has begun posting false victim reports on its leak site.

Nearly 80% of victim statements that appear on the group’s new data leak site after Operation Cronos are illegitimate claims, according to a new report from Trend Micro, a Japanese cybersecurity company that participated in the operation policewoman who destroyed Lockbit’s infrastructure on February 19, 2024.

More than two-thirds of the recorded victims (68%) were re-uploads of attacks that occurred before Operation Cronos and 10% were victims of other ransomware groups, namely ALPHV/BlackCat and RansomHub.

Trend Micro also found that 7% of post-Operation Cronos downloads were quickly removed.

“14 victims remain unpublished and we have not found any public data other than posts on the LockBit site that claim to verify the actual dates of the attack,” the report adds.

Based on this analysis, Trend Micro believed that LockBit was attempting to manipulate its new leak site by filling it with false victim data and giving it the appearance of normalcy, as if the group was fully back and functioning.

Other suspicious behavior, such as deleting victims’ names before the countdown ends and downloading victims in batches, also supports this hypothesis.

Read more: What you need to know about Operation Cronos

Impact of Operation Cronos on LockBit Affiliates

As part of the Cronos operation, Trend Micro revealed that before the takedown, LockBit administrators were working on a new version of platform-independent ransomware that researchers called LockBit-NG-Dev (NG stands for “next generation”).

Read more: Who are the LockBit administrators?

However, the withdrawal likely put such development plans on hold as LockBit had to focus on restoring its infrastructure.

While LockBit’s kingpin (aka LockbitSupp) has promised to return quickly, the ability of the group’s subsidiaries to launch new attacks appears seriously hampered.

THE Trend Micro Report shows a clear drop in the number of actual infections associated with LockBit ransomware following Operation Cronos, with only one small cluster of attacks observed in the three weeks following the disruption.

On cybercrime forums, users claiming to be affiliated with LockBit complained of disruptions to the group’s infrastructure even before the operation was publicly announced.

“An actor using the handle ‘Desconocido’ complained that three current campaigns were affected by the disruption,” the Trend Micro report said.

Leave a comment