The threat actors behind the LockBit ransomware operation have resurfaced on the dark web using new infrastructure, days after an international law enforcement exercise seized control of its servers.

To that end, the notorious group has moved its data leak portal to a new .onion address on the TOR network, listing 12 new victims as of writing.

The administrator behind LockBit, in a lengthy follow-up message, said some of their websites were confiscated by most likely exploiting a critical PHP flaw tracked as CVE-2023-3824, acknowledging that they didn’t update PHP due to “personal negligence and irresponsibility.”

“I realize that it may not have been this CVE, but something else like 0-day for PHP, but I can’t be 100% sure, because the version installed on my servers was already known to have a known vulnerability, so this is most likely how the victims’ admin and chat panel servers and the blog server were accessed,” they noted.

They also claimed the U.S. Federal Bureau of Investigation (FBI) “hacked” their infrastructure because of a ransomware attack on Fulton County in January and the “stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming U.S. election.”

They also called for attacking the “.gov sector” more often, while also stating that the server from which the authorities obtained more than 1,000 decryption keys held almost 20,000 decryptors, most of which were protected and accounted for about half of the total number of decryptors generated since 2019.

The group further went on to add that the nicknames of the affiliates have “nothing to do with their real nicknames on forums and even nicknames in messengers.”

That’s not all. The post also attempted to discredit law enforcement agencies, claiming the real “Bassterlord” has not been identified, and that the FBI actions are “aimed at destroying the reputation of my affiliate program.”

“Why did it take 4 days to recover? Because I had to edit the source code for the latest version of PHP, as there was incompatibility,” they said.

“I will stop being lazy and make it so that absolutely every build loker will be with maximum protection, now there will be no automatic trial decrypt, all trial decrypts and the issuance of decryptors will be made only in manual mode. Thus in the possible next attack, the FBI will not be able to get a single decryptor for free.”

Russia Arrests Three SugarLocker Members

The development comes as Russian law enforcement officials have arrested three individuals, including Aleksandr Nenadkevichite Ermakov (aka blade_runner, GustaveDore, or JimJones), in connection with the SugarLocker ransomware group.

“The attackers worked under the guise of a legitimate IT firm Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers, and online stores,” Russian cybersecurity firm F.A.C.C.T. said. “The company openly posted ads for hiring new employees.”

The operators have also been accused of developing custom malware, creating phishing sites for online stores, and driving user traffic to fraudulent schemes popular in Russia and the Commonwealth of Independent States (CIS) nations.

SugarLocker first appeared in early 2021 and later began to be offered under the ransomware-as-a-service (RaaS) model, leasing its malware to other partners under an affiliate program to breach targets and deploy the ransomware payload.

Nearly three-fourths of the ransom proceeds go to the affiliates, a figure that jumps to 90% if the payment exceeds $5 million. The cybercrime gang’s links to Shtazi-IT were previously disclosed by Intel 471 last month.

The arrest of Ermakov is notable, as it comes in the wake of Australia, the U.K., and the U.S. imposing financial sanctions against him for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health, and drug use. Some of these records also found their way to the dark web.

It also follows a report from news agency TASS, which revealed that a 49-year-old Russian national is set to face trial on charges of carrying out a cyber attack on technological control systems that left 38 settlements of the Vologda without power.

The threat actors behind the KV-botnet made “behavioral changes” to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

“In mid-December 2023, we observed this activity cluster hovering around 1500 active bots,” security researcher Ryan English said. “When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots.”

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it’s fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

“We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023,” Lumen said in a technical report shared with The Hacker News.

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV 320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary’s likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

It’s worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to China working hours.

“Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom,” Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.

What’s more, the statement from the U.S. Justice Department described the botnet as controlled by “People’s Republic of China (PRC) state-sponsored hackers.”

This raises the possibility that the botnet “was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said ‘nation-state’ actors,” Adamitis added.

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that’s composed of infected Cisco routers by deploying a web shell named “fys.sh,” as highlighted by SecurityScorecard last month.

But with KV-botnet being just “one form of infrastructure used by Volt Typhoon to obfuscate their activity,” it’s expected that the recent wave of actions will prompt the state-sponsored actors to presumably transition to another covert network in order to meet their strategic goals.

“A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported,” English said. “End users have a difficult financial choice when a device reaches that point, and many aren’t even aware that a router or firewall is at the end of its supported life.

“Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible.”

“Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point.”