Lockbit’s Threat to the FBI: Lessons for Developers and Cybersecurity Professionals

10 min readFeb 25, 2024

Lockbit’s panel to leak classified information

Learning cybersecurity from havoc-wreaking hacking groups such as Lockbit has proven to be very insightful. Prior to a leak (data breach) of FBI-classified information that could potentially jeopardize the next US elections, the FBI successfully pawned some of the Lockbit’s servers’ to interrupt the operation via a known CVE vulnerability affecting PHP 8.1.2 severs.

However, the notorious hacking group, Lockbit, returned with renewed strength just four days after the incident. They went further to publicly share the incident report and the security measures they have adopted. \(*.*)/

It takes a lot of confidence to do this!

In this article, I share with you insightful information to learn from Lockbit’s publicly released threat (letter) to the FBI, whether you are a developer or cybersecurity enthusiast. I formatted the letter, organised it into sections, and highlighted interesting details, all of which are available on this GitHub repository.

Github repository with Lockbit’s Public Notice to the FBI

You can star the repository if you are interested in getting more updates on this thread.

Diving straight-in, I categorized the threat into 7 main sections including:

Incident & Threat Analysis
Threat Intelligence
Post Incident Activities
Impact Analysis
Incident Report & Disaster Recovery

Recovery Point Objective
Entry Point
Threat Objective
Mission Statement

6. Links to Leaked Resources

7. Business Continuity

..it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete.

The above is a quotation from Lockbit’s public notice. First, please read the formatted version of the letter here, and then return to this article for analysis. ;)

TL;DR ?? No problem. You’ll find all the insights here.

#1: Incident & Threat Analysis

In this section Lockbit explains the events that possibly let to the incident or exploit. An event in the cybersecurity jargon is any observable occurrence in a network or system. In this case, we can say the event was an incident because it successfully jeopardized the integrity and availability of Lockbit’s PHP servers on which the data breaches (leaks) were hosted.

The events here were 502 Bad Gateway and 404 Not Found nginx.

Those are usually clear indicators of cybercrime incidents. And if appropriate measures are taken in a timely manner, the incident could be contained, eradicated and the system recovered. The steps to follow on the event of a cybercrime incident are usually clearly defined in an Incidence Response Plan.

I uploaded a free Incidence Response Plan Template so you can have a look! Don’t thank me yet ;}

The vulnerability that enabled the FBI to successfully hack into the Lockbit servers was stated to be the CVE-2023–3824. CVE, or Common Vulnerabilities and Exposures, is a system used to uniquely identify and standardize the naming of vulnerabilities in software and hardware products. It provides descriptions of vulnerabilities, information about affected products, and references to additional resources or fixes. Maintained by the MITRE Corporation, CVE entries are essential for tracking and managing vulnerabilities in cybersecurity.

As a developer, it’s crucial to consistently gather information about potential vulnerabilities in libraries, frameworks, plugins, APIs, servers, and more —that you use in your software — from public vulnerability repositories such as CVE, Exploit-DB and OWASP.

Note that this is not a one-time task. As long as your software or platform remains in the production environment, you must continue monitoring these repositories to take timely action when necessary.

Another major take away from this section is the concept of decentralized infrastructure. Lockbit clearly states..

If I didn’t have backup servers that didn’t have PHP on them, I probably wouldn’t have figured out how the hack happened.

Another consequence could have been that the backend servers would have been compromised as well, leading to the complete loss of data. In this context, a decentralized infrastructure refers to a system or network architecture where authority and decision-making are distributed across multiple nodes or participants, rather than being centralized in a single entity or location(server).

Ensuring that the nodes or backup servers are running on different systems could act as an additional layer of security (PHP, nodejs, python…). This is what limited the impact of the FBI hack on Lockbit. Because if there’s a vulnerability and a server is hacked, the backups won’t be reached.

#2: Threat Intelligence

After gathering enough information about the incident, the next step is to analyze them using known data and threat intelligence. It refers to the knowledge and insights gained from analyzing various sources of information to understand a cybersecurity threat. This information can include but is not limited to, indicators of compromise and tactics, techniques and procedures (TTPs) used by threat actors.

This section is meant to rather describe threat intelligence from a criminal’s perspective. Here, Lockbit clearly points out after analysis the motives of the attacker — FBI. What is particularly interesting to me here is when they state…

…but all you need to do to not get caught is just quality cryptocurrency laundering.

Quite exciting! ain’t it ?. If you read in-between the lines, then you probably noticed that the FBI had hacked Lockbit servers long before the indicator of compromise was detected. All this time, the FBI was silently monitoring them to gather intelligence on their identities and money laundering techniques.

Cryptocurrency laundering, also known as crypto laundering or crypto mixing, refers to the process of concealing the origins of illegally obtained cryptocurrency funds. It involves transferring these funds through a series of transactions or mixing services to obscure the trail and make it difficult to trace the funds back to their original source.

That could be achieved by mixing a user’s cryptocurrency with that of another, usage of privacy coins such as Monero (XMR), layering or even P2P trading.

#3: Post Incident Activities

Post Incident activities include implementing security measures to patch the vulnerabilities that let to the incident. Lockbit does us a very big favor here by sharing their’s with us regarding the CVE-2023–3824 vulnerability.

Get your pen and notebook, if your server was pawned due to the CVE-2023–3824 vulnerability in PHP v8.1.2. — Here’s exactly what to do(^^)

Update the your server’s PHP version from v8.1.2 to v8.3.3 (or the latest available)
Change your hoster (hosting or cloud service provider).
Consider changing your server as well to more secured options
Change all possible passwords including but not limited to, user passwords that was found in the database.

If your platform has thousands of users, instead of telling them to change their passwords (which many won’t do), I recommend implementing a robust password policy on their behalf and emailing them their new passwords. Subsequently, they can choose to change it to their will.

Audit the source code and migrate everything to a different technology or framework if deemed neccessary. Especially if your source codes were exposed.

This brings us to the concept of system hardening and zero day. A Zero Day is a previously unknown vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.

On the other hand, Server hardening is the process of enhancing the security of a server by implementing various measures to reduce its exposure to potential threats and vulnerabilities. The goal of server hardening is to minimize the risk of unauthorized access, data breaches, and other security incidents.

In our context, if your server is hacked and hardened against you, it literally means that you won’t be able to access it anymore. :/

In case you suspect a zero day or if your server was hardened, then, the only correct answer is a full and complete migration (from the backups ofcourse!)

#4: Impact Analysis

This section describes the activities performed prior to the process of disaster recovery inorder to ensure business continuity. Let’s discuss this section from both an attacker and victim perspective.

After the process of threat intelligence, Lockbit was able to enumerate and map all their system infrastructures that were compromised as a result of the FBI’s exploit on their servers.

The Database. It contained an organized collection of the nicknames of their partners, users, victims, chats with previously attacked companies, bitcoin wallets, and passwords. Had it been that the usernames weren’t randomly generated, this would have been it for Lockbit. The takeaway here is to think about encrypting data before storing them on the database.
Web Panel Sources. This is definitely the most critical compromised infrastructure. Web Panel Sources are simply the different source codes of the various panels (or websites if you want) that Lockbit uses to release data breaches (leaks). The FBI could study the source codes and identify potential vulnerabilities to easily launch subsequent attacks. Just that Lockbit figured it out already.(-_-)

3. Locker Stubs. These according to me, can be described as secure collections of Decryptors, which could be used to release the encrypted information systems of Lockbit’s victims upon payment of a ransom. Here again, Lockbit claims to have encrypted the decryptors before storing them on the server, which doesn’t make things any easier for the FBI.

#5 Incidence Report | Disaster Recovery

Usually, after performing all the activities as planned in the Incidence Response Plan, the Security Operations Center or SOC team produce a detailed report that fully documents the incident and the mitigation efforts. This document servers as intelligence for future security perspectives.

Disaster Recovery on the other hand, refers specifically to restoring the information technology and communication services and systems needed by an organization, both during the period of disruption and during restoration of normal services.

For Lockbit, this meant revising their source code, migrating their systems, restoring their panels and starting a new countdown to leak the compromised FBI data if the ransom isn’t paid in due time.

Let me highlight for you some of the key takeaways regarding this section:

Recovery Point Objective: This term generally refers to possibly compromised server transactions and corrupted backups that need to be restored. To prevent this from every happening again, or rather, to ensure the data is useless if unauthorizedly access, Lockbit planned to remove the automatic decrypt functionality and only manually issue decryptors.
Entry Points: An entry point is the initial vulnerability or weak point in a system or network that an attacker exploits to gain unauthorized access.

Hey, what according to you, is the Entry Point that the FBI used to pawn the Lockbit panels ? Drop your answer in the comments and win a cybersecurity certification voucher ;-\

Tox: Tox is a decentralized messaging protocol designed to provide secure and private communication. Tox operates without a central server, ensuring privacy, and offers additional features like file sharing and group chats. Keeping your client updated ensures the latest security measures are in place.

I’ll make a whole article on how to install and configure tox for secured messaging. Follow my blog and don’t miss it out!

Cryptocurrency Exchanger. We’ve discussed this already right ?!
Threat Objective. Although generally systems are pawned for unauthorized data access or disruption of information systems, the threat objective here stands as the most important reason for the hack. Remember that before the incident was discovered, the FBI had long hacked Lockbit’s PHP servers.

The FBI erased all the data from Lockbit servers because, the FBI didn’t want Lockbit to … (Complete this sentence correctly in the comments and win another cybersecurity voucher — (-.+) — )

Okay well, you might wonder what motivates Lockbit keeps wreaking havoc on systems huh ?! Hear it from them.

…I am just bored, I love my work, it brings me joy from life, money and luxury do not bring such joy as my work, that’s why I am ready to risk my life for the sake of my work, that’s how bright, rich and dangerous life should be in my opinion.

That’s nerdyy right ? hahaha.

#6: Links to Leaked Resources

This section is just a collection of onion links that you can use to access public leaked sensitive and classified information from companies who couldn’t pay the ransom to Lockbit on-time :(

You can securely access the onion links on the Tor network by following the steps below:

Install the Tor Browser from the official Tor Project website.
Launch the Tor Browser on your device (preferably on a VM) with a VPN.
Enter the onion URLs directly into the address bar.

And that’s it !

#7: Business Continuity

This is the last section of this insightful public letter to the FBI. It clearly invites pentesters to pay a 2 bitcoin fee to join the Lockbit Affiliate Program, and start earning hundreds of millions of dolars, lol.

In summary, maintaining a proactive stance against evolving security threats is paramount for developers and cybersecurity experts. Stay ahead of the game by ensuring your software is always up to date and steering clear of any known vulnerabilities. Consider enlisting the expertise of a penetration tester from the outset to fortify your defenses and safeguard against potential risks. Investing in proactive security measures today could be the key to saving valuable time, resources, and even ransom money tomorrow.