27 February 2024

7 min read

LockBit returns with new leak site following law enforcement takedown | Cyber Intelligence Briefing: 27 February

February 2024
Cyber Briefing News


Top news stories this week

  1. Back with a bang. LockBit sets up new leak site and threatens to publish Fulton County data. 
  2. I-Spy. Data leak reveals China uses cyber security firm I-Soon to spy on citizens and foreign governments.
  3. Patch wisely. ScreenConnect vulnerabilities exploited in ransomware attacks.
  4. All change. Threat group Knight sells encryptor source code as Russia disrupts SugarLocker ransomware gang. 
  5. Service denied. Hacktivists target Universities of Cambridge, Manchester, and Wolverhampton in DDoS attack.
  6. Privacy peril. Pegasus spyware found on EU parliament staffers’ phones.

Listen to the Cyber Intelligence Briefing

New call-to-action New call-to-action New call-to-action New call-to-action

1. LockBit updates: Group back online with new infrastructure and threats 

LockBit has set up new infrastructure one week after a joint UK, EU, and US law enforcement operation took over its leak site. The ransomware group claims to have obtained documents from the ongoing election racketeering case against former US President Donald Trump from a recent attack on Fulton County, which it has now threatened to publish on 2 March.

Separately, law enforcement revealed that before the takedown the group was developing an enhanced version of their malware, potentially to be named LockBit 4.0. LockBit said the law enforcement takedown happened because the group forgot to patch two PHP servers. The UK’s National Crime Agency (NCA) estimated that the group had generated more than USD 1 billion in ransom fees since its inception in 2020.

So what?

The resurgence of the group underscores the formidable challenge law enforcement faces in dismantling sophisticated ransomware groups such as LockBit.

[Researcher: Aditya Ganjam Mahesh] 

2. Data leak reveals China used private company to spy on citizens and foreign governments  

A data leak from Chinese cyber security firm I-Soon has revealed that the Chinese government used the company to spy on its own citizens. A dump of more than 500 files onto GitHub also revealed that the company discussed spying on NATO, the UK Foreign Office, and several foreign affairs ministries in Asia. I-Soon and Chinese law enforcement are reportedly investigating the leak.

So what?

The leak offers a rare glimpse into the extent of China’s surveillance efforts, demonstrating how governments can enlist private companies as hackers for hire to advance their agendas. 

[Researcher: Waithera Junghae]

3. ScreenConnect vulnerabilities exploited in ransomware attacks

IT company ConnectWise has announced two vulnerabilities affecting its remote access software ScreenConnect. Thousands of vulnerable servers have been identified by researchers, who also observed cybercriminals exploiting the flaws to deliver malware, including LockBit ransomware.

So what?

Organisations using ScreenConnect should patch their systems immediately and follow guidance from ConnectWise.

[Researcher: David Broome]

New call-to-action


4. Knight ransomware sells source code as Russia disrupts SugarLocker cyber gang   

A representative of the Knight ransomware group, which first appeared in July 2023, is selling the source code for the group’s encryptor on a hacking forum. The group has been inactive since last December, and is seeking a single buyer for their assets.

Separately, Russian authorities arrested three alleged members of SugarLocker, a low-profile ransomware gang which was targeting individual computers in 2022. Security researchers have suggested the arrests could be a Russian PR stunt demonstrating the nations’ capability to conduct similar operations to the LockBit takedown.

So what?

These changes highlight the volatility of the cyber threat ecosystem and the continuous evolution of cybercriminal gangs. 

[Researcher: Waithera Junghae]

5. DDoS attack causes disruption at Universities of Cambridge, Manchester, and Wolverhampton

Russia-linked hacktivist group Anonymous Sudan has claimed responsibility for a DDoS attack on the Universities of Cambridge, Manchester, and Wolverhampton, impacting the availability of IT services. The group, which targeted a high-speed network used by the UK research and education community, said they carried out the attacks in retaliation for the UK government’s support for Israel.

So what?

Developing a DDoS response plan is key to ensuring that your organisation can effectively and efficiently manage an attack that aims to disrupt service availability.

[Researcher: David Broome]

6. EU politicians’ phones investigated following Pegasus spyware intrusion

Two EU parliamentarians and one staffer on the security and defence subcommittee were targeted with Pegasus spyware. The discovery has placed the European Parliament on high alert in the run-up to the June EU election and prompted checks for the spyware on all subcommittee member devices.

So what?

The growing popularity of spyware highlights the importance of regular security checks on devices to protect data and uphold confidentiality.

[Researcher: Lawrence Copson]


The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.