A week after an international law enforcement operation disrupted the infamous LockBit ransomware gang by taking down its leak site on the dark web, the group has returned as if very little had happened.

News of the operation targeting LockBit first emerged Feb. 19, with further details of the operation disclosed on Feb. 20. The operation, which involved law enforcement agencies from 11 countries, did result in the arrest of two alleged LockBit members in Poland and Ukraine and the issue of international arrest warrants and indictments for a number of other alleged members.

Although it’s commendable that law enforcement agencies target online crime, arresting two members of LockBit had little effect. The group is believed to have about 20 core members and at least 100 affiliates using its ransomware.

All the U.K. National Crime Authority, the U.S. Federal Bureau of Investigation and others did was cut two heads off a multiheaded hydra. It may have caused some short-term pain, but hydra heads grow back. Moreover, LockBit was prepared for the possibility that it could be targeted.

IT News reported today that the group said in a statement on its new dark web site that law enforcement had hacked its site using a vulnerability in the PHP programming language. “All other servers with backup blogs that did not have PHP installed are unaffected and will continue to give out data stolen from the attacked companies,” the group said.

Security experts were not surprised. Ilia Kolochenko, chief executive officer and chief architect at security company ImmuniWeb SA and adjunct professor of cybersecurity and cyber law at Capital Technology University, told SilliconANGLE that “LockBit is a mature, well-organized and seasoned cybercrime group that cannot be easily dismantled compared to smaller ransomware entities that were elegantly smashed by joint operations of law enforcement agencies in 2023.”

The LockBit ransomware gang emerged in 2020 and operates on a ransomware-as-a-service model, where affiliates use already-developed ransomware to execute attacks. In its time, LockBit has regularly been one of the most prolific ransomware groups and was named as the most active threat actor on the planet in January 2023.

Previous LockBit victims include Managed Care of North America Inc. in May 2023. A suspected gang affiliate was also arrested in Arizona in June 2022 and accused of being involved in multiple LockBit ransomware attacks against victims in the U.S., Asia, Europe and Africa. One of its most recent victims was Foxsemicon Integrated Technology Inc., a subsidiary of Hon Hai Precision Industry Co. Ltd., better known as Foxconn, in January.

Image: DALL-E 3