- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
LockBit Repopulates Leak Site with Old Breaches
The impact of Operation Cronos continues to hinder the LockBit ransomware group’s operations and the gang begun posting fake victim claims to its leak site.
Almost 80% of victim entries that appear on the group’s new data leak site post-Operation Cronos are illegitimate claims, according to a new report by Trend Micro, a Japanese cybersecurity firm that took part in the law enforcement operation that took down Lockbit’s infrastructure on February 19, 2024.
Over two-thirds of the listed victims (68%) were reuploads from attacks that occurred before Operation Cronos and 10% were victims of other ransomware groups – namely ALPHV/BlackCat and RansomHub.
Trend Micro also found that 7% of the post-Operation Cronos uploads had quickly been removed.
“14 victims were still not published and we did not find any public data other than the posts on the LockBit site that claim to verify the actual attack dates,” added the report.
Based on this analysis, Trend Micro assessed that LockBit is trying to manipulate its new leak site by populating it with fake victim data and giving it an appearance of normalcy, as if the group was fully back and running.
Other suspicious behaviors, such as removing victim names before the end of the countdown timer and uploading victims in batches, also support this hypothesis.
Read more: What You Need to Know about Operation Cronos
Impact of Operation Cronos on LockBit’s Affiliates
As part of Operation Cronos, Trend Micro revealed that, before the takedown, the LockBit admins were working on a new, platform-agnostic ransomware build that researchers called LockBit-NG-Dev (NG stands for ‘next generation’).
Read more: Who Are the LockBit Admins?
However, the takedown has likely put any such development projects on hold, as LockBit had to focus on restoring its infrastructure.
While LockBit’s kingpin (aka LockbitSupp) promised to return quickly, the group affiliates’ ability to launch new attacks seems severely hampered.
The Trend Micro report shows a clear drop in the number of actual infections associated with LockBit ransomware following Operation Cronos, with only one small attack cluster observed in the three weeks following the disruption.
On cybercrime forums, users claiming to be LockBit affiliates complained about disruptions to the group’s infrastructure even before the operation was publicly announced.
“An actor using the handle ‘Desconocido’ complained that three ongoing campaigns were affected by the disruption,” the Trend Micro report states.