LockBit Remains Ransomware Leader Despite Law Enforcement Pressure

Since law enforcement disrupted the activities of the criminal group on February 20, LockBit ransomware has been used for at least fourteen data breaches

Hacker with number one medal
After law enforcement agencies attacked LockBit’s servers, the general use of various ransomware applications has significantly declined

The notorious ransomware gang LockBit has recently claimed that its enterprise has been undergoing rapid recovery following the shutdown of its servers by the combined efforts of international law enforcement agencies, including the FBI and the UK National Crime Agency (NCA) on February 20th. Although these assertions, along with LockBit’s promise to pay a $20,000,000 bounty to anyone who can dox their leaders, were interpreted as mere bluffing by some in the cybersecurity community, LockBit appears to maintain its leading position in the ransomware industry.

According to Daily Dark Web, a news outlet that regularly shares information about ransomware incidents with the X community, there have been at least fourteen cases of attacks conducted either by LockBit itself or its affiliates.

Read also: FBI vs LockBit Battle: No Names Revealed, Ransomware Group Restores Its Servers

The most recent incident occurred today and affected GAP Solutions, a management consulting company based in Australia.

This data breach followed three attacks committed with the LockBit 3 ransomware yesterday. The targets included Eastern Shipbuilding Group, a commercial shipyard engineering company based in the USA; Sund Birsta, a supplier of handling systems for wire and rod mills; and Veru, a Canadian biopharmaceutical company.

Top 5 Ransomware Gangs on February 27
Source: Daily Dark Web

Nouvelle Parfumerie Gandour, Pratt Industries, Silgan Holdings, Ernest Health, A.P. Eagers, Dunaway, EquiLend, National Dentex Labs, CRB Group, and Magi ERP, a software developer, are among the companies and organizations exploited by LockBit 3 ransomware since the announcement of the shutdown of the gang’s servers.

Despite the disruptions in LockBit operations, the ransomware enterprise remains the industry leader, according to recent statistics from Daily Dark Web. The X-based news outlet reports that LockBit facilitated nine data breaches out of a total of sixty-four cases within the last week, maintaining its status as the industry's top player despite its disrupted operations. Following LockBit on Daily Dark Web’s list of the top five ransomware gangs are Black Basta, Blackcat, Akira, and RansomHouse.

Although LockBit maintains its prominent position in the criminal underworld, it is clear that the gang did not operate at full capacity last week. During the week preceding the law enforcement targeting of LockBit's infrastructure, the criminal group executed over forty data breaches, outpacing other leading gangs such as Hunters International, Blackcat, Play, and BianLian.

However, data provided by Daily Dark Web also suggests a general decline in the activity of criminals engaged in ransomware attacks after law enforcement agencies took control of LockBit’s servers. The total number of ransomware victims during a seven-day period between February 11 and February 17 was more than twice as high, amounting to 147.

Read also: LockBit Leaders Offer $20 Million Reward for Doxxing Them

In its recent response to the actions of the FBI and NCA, a LockBit representative claimed that the stability of its service is "guaranteed by years of continuous work," explaining that only the servers with the PHP vulnerability were overtaken by law enforcement, while the rest remained uncompromised. This possibly allowed the criminals to swiftly recover the functionality of their infrastructure and continue their illegal activities.

Additionally, LockBit commented on law enforcement agencies’ acquisition of more than 1,000 decryption keys that could potentially be used for data recovery, asserting that victims will still have to pay.

"Even after the FBI hack, the stolen data will be published on the blog. There is no chance of destroying the stolen data without payment," LockBit explained, adding that "After introducing maximum protection on every build of the locker, there will be no chance of free decryption, even for 2.5% of attacked companies."