LockBit is making a comeback after Operation Cronos, reactivating mirror servers, a fresh batch of victims, and new leakage methods such as onion-hosted pages and torrents. The piece traces the second reign of LockBit, detailing victimization, infrastructure, Crinetics as a case study, and the emergence of LockBitSupp’s identity revelation. Hashtags: #LockBit #OperationCronos #Crinetics #Polycab #RJCorp #DSIB #Dispossessor #Hexonium #DmitryYuryevichKhoroshev #Europol
Keypoints
- LockBit resurfaces within a week after Operation Cronos with mirror servers online and new victims listed on the Data Leak Site (DLS).
- Victimization expands to include high-profile targets (DSIB, Polycab, Crinetics, etc.) with a stated average 29-day negotiation window per victim.
- LockBit infrastructure centers on onion domains (Tor) and nginx, hosting large leaks via a dedicated onion-based DLS (e.g., lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion).
- Transition to torrent/file-sharing for leaks, packaging victim data with five-character IDs and enabling broader distribution.
- Crinetics case study shows negotiations, ransom demands (up to multi-million USD), and listed BTC/XMR wallets; suspected affiliate involvement.
- Identity reveal of LockBitSupp as Dmitry Yuryevich Khoroshev triggers attention from Europol and FBI; new victim batches appear, with debates over inflated counts and potential affiliates (Hexonium).
MITRE Techniques
- [T1090.003] Proxy: Tor – LockBit uses onion domains to host leak pages and communications. Quote: “Onion Domain:- lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion”
- [T1567.002] Exfiltration to Web Service – Victims’ data is published on the LockBit Data Leak Site (DLS) onion domain. Quote: “Data Leak Site (DLS)” and “listing new victims on their Data Leak Site (DLS)”
- [T1041] Exfiltration Over C2 Channel – Data is leaked to LockBit leak servers/public sites. Quote: “leaking the entire data on the LockBit leak servers to the public”
- [T1583] Acquire Infrastructure – LockBit maintains onion-domain infrastructure and a stable server for large leaks (e.g., “lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion” and nginx). Quote: “maintains a stable server to host large leaks on a new Onion Domain”
Indicators of Compromise
- [Domain] Onion domains – lockbit33chewwx25efq6dgkhkw4u7nefudq4ijkuamjfd7x73on6dyd.onion, lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion, bu27ucccflf4bkwssunbtvf6lflhp6ydvbqoxduf62ywzmpmv24wcgid.onion, 3bqptmf5ergw7mgj6jalvn5ohh2ubhssestvrwfdoubaz7nkrix4jcqd.onion:6969
- [IP] 5.182.5.126 – Location: Russia
Read more: https://medium.com/coinmonks/the-return-of-lockbit-8d7bcb9b75fa