The LockBit Ransomware Gang Is Back In Operation, How Can It Be? Here's An Explanation From Cyber Security Experts
Dony Koesmandarian as Territory Manager, Kaspersky Indonesia (photo: Dinda Buana/VOI)

JAKARTA - Around February 20 yesterday, Britain's National Crime Agency (NCA) and the FBI managed to arrest two accused members of one of the world's leading ransomware gangs, namely LockBit.

In addition to arresting two defendants, the UK's Cyber Division of the National Crime Agency, with the United States Department of Justice (DOJ), the FBI, and other law enforcement, admitted that it had succeeded in taking control of the website used by Lockbit in a rare international operation.

However, recently the ransomware gang announced that it had restored servers and resumed operations. The group said law enforcement had hacked Lockbit's dark web site, where the gang leaked stolen data from their victims, using vulnerabilities in the language of PHP programming.

"All other servers with a backup blog that doesn't have an installed PHP are unaffected and will continue to provide data stolen from the company being attacked," LockBit wrote in a statement.

According to Dony Koesmandarian as Territory Manager, Kaspersky Indonesia, the reason behind the return of the LockBit ransomware operation is because they already have a very large community or organization.

"It could be (the community is already big). Yes, because the organization is already big. Maybe 2 or 3 people have caught it, the rest have not. The rest will make new ones. Yes, it's called looking for opportunities, right," Donny told VOI on Tuesday, February 27 in Jakarta.

This reason makes sense, seeing NCA itself reveal that Lockbit has its own affiliation, which Lockbit recruited to carry out attacks using their digital extortion tools.

The LockBit ransomware attack targeted thousands of victims worldwide, including in the UK, and caused billions of pounds, dollars and euros in losses, both in ransom payments and in recovery costs.

"This group provides ransomware-as a service to a global network of hackers or "affiliates", supplying them with the tools and infrastructure needed to carry out attacks," the NCA wrote at the time.

The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by