Bustling activity: LockBit publishes over 100 alleged victims

The ransomware group LockBit has been hectic following the media-effective exposure of its leader "LockBitSupp". Over the past few days, the gang has published articles on its darknet website about more than 120 alleged new victims, apparently in response to the actions of international law enforcement agencies. In addition, the head of the gang denies that he has been correctly identified by investigators.

A morning look at the latest publications by international ransomware groups turned into a marathon on the Friday of the bridge: no fewer than 78 articles dated May 9 were posted on the Lockbit blog, even though this is also a public holiday in Russia (Victory Day). The group was also extremely active on May 7 and 8, with 31 and 15 articles respectively.

This hustle and bustle is probably related to the revelations against "LockBitSupp", the head of the gang, which have appeared on his former leak site recently. After it was taken over by international investigators, the site initially went offline, but has now been reactivated by the authorities as a kind of darknet press office. On May 7 at 4 p.m., the FBI and co. took action and "doxxed" the ransomware operator. In addition to his name, the US Department of Justice also published an indictment containing his telephone numbers and email addresses.

TU Ilmenau affected, Telekom not

However, there are clear doubts about the authenticity of the victims now denounced by LockBit – as there have been in recent months. The usually well-informed group "VX Underground" expressed the suspicion on the short message service X that these were republications intended as retaliation against the law enforcement agencies.

German companies and institutions are also among the published victims. Marco Frezzella, press spokesman for the Technical University of Ilmenau, confirmed to heise Security that there had been an attack on what Frezzella described as a "very limited, decentralized area of the TU Ilmenau backup service" during the night of 14 to 15 March. This was immediately isolated, and the ransom demand made by LockBit was not met. Central IT services of the university were not affected, said the spokesperson, who also confirmed that all relevant supervisory authorities had been informed.

The Catholic Youth Welfare of the Diocese of Augsburg also had an uninvited visit from the ransomware gang on April 17. According to the care organization in a statement on its website, it gained access to the network and copied data, including health data. In addition to the KJF headquarters, more than a dozen sub-organizations were affected, including several clinics.

However, there is no truth to the attack against Deutsche Telekom also mentioned on the LockBit leak site, as a company spokesperson confirmed to heise Security. "There are no signs of an attack on Deutsche Telekom," said Christian Fischer from the company's press team.

LockBitSupp: I am not Dmitry K.

In a blog article called "contest.omg", the alleged head of the LockBit gang, who was unmasked a few days ago, also speaks out - as expected with a denial. The Russian Dmitry K., who is subject to international sanctions and has been indicted in the United States, is not LockBitSupp. For his part, he offered a reward of 1000 US dollars to the first person who successfully makes contact with K. and can prove it.

However, the denial is based on a solid foundation, as it is not only the US authorities who are sure of their case: security researcher Jon DiMaggio also states that Dmitry K. is the LockBit gang leader. The American shares his own research in a long article entitled "Ransomware Diaries, Volume 5".

(Editor's note: Although the full name, photos and other identifying information about Dmitry K. are circulating on the internet, we have decided to continue to abbreviate his name in the context of suspicious activity reporting).

(cku)