Fed-run LockBit site back from the dead and vows to really spill the beans on gang

Updated Cops around the world have relaunched LockBit's website after they shut it down in February – and it's now counting down the hours to reveal documents that could unmask the ransomware group.

The resurrection of the website – which was formerly the hub of LockBit's extortion operations, where victims were listed and stolen data leaked online – is a follow-up to the initial seizure by international law enforcement agencies that took place in February. Termed Operation Cronos, agencies like the FBI, NCA, and Europol took control of LockBit's Tor-hidden site, a major disruption for the ransomware gang.

Part of the February takeover was repurposing the LockBit website instead of simply nuking it. Where ransom threats with timers and leaked info once were, the Feds replaced them with articles detailing the inner workings of the LockBit crew themselves. The police-controlled site eventually went offline, though is now back counting down to more disclosures.

That all said, the earlier cop-written articles ended up being pretty anticlimactic. For instance, one piece titled, "Who is LockbitSupp", which was expected to expose the person who serves as the face for the cyber-cartel, simply told us LockBitSupp lives in Russia and drives a Mercedes car, and may be talking to the police. 

Speaking at the RSA Conference in San Francisco on Monday, Charles Carmakal, CTO of Google's security wing Mandiant, said that this time, the upcoming reveal could be the real deal and give a lot more information about LockBitSupp. Mandiant has close ties with federal investigators on both sides of the Atlantic and beyond.

• LockBit identity reveal a bigger letdown than Game of Thrones Season 8
• LockBit ransomware kingpin gets 4 years behind bars
• The federal bureau of trolling hits LockBit, but the joke's on us
• LockBit's contested claim of fresh ransom payment suggests it's been well hobbled

The LockBit website currently displays eight locked pages each with a countdown ending at 1000 ET (1400 UTC) Tuesday. An additional timer indicates that the website's new lease on life won't last too long, as it will be expiring on May 10 at 1000 ET.

Notably, one of the eight articles is again titled "Who is LockbitSupp?" and while this may just be a copy-paste of the original piece from February, it could be a redo with some more info that hopefully answers the question in the headline in a more satisfying way.

For its part, LockBit doesn't seem to be deterred. "I don't understand why they're putting on this little show," a rep from the extortion gang said in an interview with VX Underground. "They're clearly upset we continue to work." The spokesperson also countered the Feds' press releases by saying the US agents were lying, which is unsurprising for a bunch of crooks.

While LockBit has a new website of its own and seems to be up to its usual crimes, Operation Cronos may have significantly weakened the group. Its latest raids have allegedly been against hospitals, Fulton County in Georgia, and even the FBI. The Fulton County ransom may not have come to anything, as county officials said they didn't pay a cent while LockBit says they did and thus didn't leak the hostage info.

Given it's been over two months since the original LockBit reveal, we'd hope that the upcoming announcements will have substantially more information about the cybercriminals behind the extortion crew. ®

Updated to add

The Feds have named and charged Russian national Dmitry Yuryevich Khoroshev, 31, in relation to his alleged role as leader of the LockBit crew.

Additional reporting from RSA Conference by Jessica Lyons.