It appears that the notorious ransomware group is restoring its infrastructure following the global law enforcement takedown on February 19, 2024.

The law enforcement operation led to the arrest of several alleged LockBit affiliates in Ukraine and Poland. Additionally, 34 LockBit servers were seized, and more than 14,000 online and web hosting accounts associated with previous LockBit attacks were identified and shut down. Furthermore, authorities took control of over 200 cryptocurrency accounts linked to LockBit.

The UK's National Crime Agency (NCA) took the lead in the operation, seizing LockBit's infrastructure, including its leak site used for publishing stolen data from ransomware victims. Moreover, over 1,000 decryption keys were obtained, enabling law enforcement to develop a decryption tool accessible through Europol’s “NoMoreRansom” platform.

In parallel, US authorities unsealed an indictment against two Russian nationals, Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, for their alleged involvement in deploying LockBit ransomware against multiple victims. Kondratyev faces additional charges related to operating the REvil/Sodinikibi ransomware. Both individuals have been sanctioned by the US Department of Treasury's Office of Foreign Assets Control.

Furthermore, the US State Department has offered rewards of up to $10 million for information leading to the capture of LockBit’s leaders and up to $5 million for tips leading to the arrest and/or conviction of LockBit’s affiliates.

According to Trend Micro, LockBit was working on a new version of the malware dubbed ‘LockBit-NG-Dev’ (NG for Next Generation) likely to be released as LockBit 4.0. LockBit-NG-Dev is written in .NET and compiled using CoreRT. Currently, it has fewer capabilities compared to v2 (Red) and v3 (Black), but it is still under development, meaning new capabilities are likely to be added in the future.

The new version lacks the self-propagating mechanism and the ability to print ransom notes via the user’s printers, and the execution now has a validity period by checking the current date, likely to help the operators assert control over affiliate use and make it harder for automated analysis systems by security companies.

Now, LockBit is reportedly attempting to rebuild its operation. The gang kept the brand name and moved its data leak site to a new .onion address that lists five victims with countdown timers for publishing stolen information.

LockBitSupp, the figure representing the ransomware service on cybercrime forums, has reportedly interacted with law enforcement.

“We know who he is. We know where he lives. We know how much he is worth. LockbitSupp has engaged with law enforcement,” the authorities said in a message posted on the now-seized (and offline) dark web data leak site.

However, speaking with the researchers with the VX-Underground malware-sharing collective, the gang administrators said that “they did not believe law enforcement know his/her/their identities. They even boastfully raised the bounty of their head to $20,000,000.”

Operation Cronos also shed some light on the vast profits the LockBit gang and its affiliates accumulated during their four-year ransomware operation. As part of the operation, the police retrieved over 30,000 Bitcoin addresses. The analysis revealed addresses held around $126.6 million, $114 million of which remained unspent. These funds consist of both payments made by victims and fees charged by LockBit. It's highly probable that the actual ransom payments far exceed the amounts represented by these figures.