It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors that the group is no longer operational.
“It has now become known that Lockbit, contrary to its own statements, does not delete the stolen data. One more reason to stand firm and not pay in the event of blackmail. They have set up a new .onion leak site. The group claims there that the investigating authorities used a PHP vulnerability for the takedown. This is a PR campaign. Lockbit wants to put the damage of the takedown into perspective and show strength. According to its own information, Lockbit was compromised via an unknown PHP vulnerability. Only servers running PHP were compromised. The statement seems implausible for two reasons: If they don't know exactly how they were compromised, how can they be sure it was through PHP? The statement about the affected servers sounds like communication damage limitation or is simply wishful thinking.
The investigative authorities' action was extremely comprehensive and targeted the three things that constitute the true strength of a ransomware-as-a-service brand: the brand itself, the partner organizations that carry out the operations and, last but not least, the group's financial assets . The strike against the group on the dark web was supported by massive actions in the real world, such as arresting people who work with Lockbit. The seized website was used by the investigative authorities to send a warning message directly to the partners, the Lockbit leak site and the Lockbit brand were used to mock and denigrate Lockbit and partner organizations. In addition, the investigative authorities say they confiscated more than 200 wallets with cryptocurrencies and more than 1.000 decryption codes.
Lockbit is protected from prosecution
Unfortunately, two things suggest that Lockbit could make a comeback: Many members are likely based in Russia or Russia-friendly former Soviet states and are thus protected from international law enforcement authorities. In addition, the investigative authorities have placed a $15 million bounty on information that leads to the identification of the leaders of the Lockbit group - which suggests that they unfortunately do not currently know these people." (Rüdiger Trost, cybersecurity expert at WithSecure)
More at WithSecure.com
About WithSecure WithSecure, formerly F-Secure Business, is the trusted partner in cyber security. IT service providers, managed security services providers and other companies trust WithSecure - as do large financial institutions, industrial companies and leading communication and technology providers. With its results-oriented approach to cyber security, the Finnish security provider helps companies to put security in relation to operations and to secure processes and prevent business interruptions.