Older Leaks Re-Surfaces: LOCKBIT Imitator on Surface Web

NOTE: This short article is a quick write-up on the latest finding of a Data Leak Site (DLS) of LockBit Ransomware Group (imitator) which began to appear recently (January 2024). As the story is at its early stage, this story will progresses over time.

It is NOT a new practice where we come across look-alike or impersonator Data Leak Sites (DLS) where the older leaks of a Ransomware Group start to appear under a new brand name at different time times. The sole motive behind this act is to mimic the infamous Ransomware Operators, to stimulate the FEAR factor among the newly infected victims, ultimately disguising them as the same group.

Criminal finds shelter under the hood of Main Antagonist | Impersonator and LockBit || Credit: Self-Gen AI

Hence, little players/newcomers often impersonate industry-known Ransomware Groups to mimic the aura of prominent groups, easing out smoother negotiation with their future victims by maintaining & amplifying the current Scare factor of the legitimate group.

In this Investigation Article, we are going to uncover the doppelganger of LockBit on the Surface Web.

Case 1: NONAME — DATA LEAK SITE OF LOCKBIT

During my regular Threat Intelligence Activities on the Dark Web, I came across a Data Leak Site(DLS) that is similar to LockBit namely NONAME:-

noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion

The Onion URL is a vanity URL as “NONAME” is present in the URL.

This LockBit-styled Data Leak Site (DLS) features data leaks from September, which was listed on the official website of LockBit back in September.

Screenshot of NONAME Data Leak Site

As shown in the screenshot, it can be assumed that this group started to add a few victims to the page and negotiation is on track. From this landing page, the group intends to leave an impression about the Negotiation Phase and Data Deletion as they urge the current victims to pay the ransom and evade complexities such as Data Retrieval or GDPR Compliances.

NOTE: But, we never know: Will the same data will appear on another fresh site with a new group name in the future!

But here, all the listed companies were earlier leaked by Lockbit3.0 during the time frame between July & September 2023 and there are no fresh leaks (ATTOW). At present, the same victims are removed from the official website of LockBit as they refresh their victim leaks regularly (Only December records are currently present in the Lockbit DLS Portal ATTOW).

While tracing any of the active infections caused by NONAME, it was found that the group had targeted a few victims in November 2023 as the queries for the same group [NONAME] started to appear in various forums.

NONAME query on a Forum

Following is the contact address of the Threat Actor given in the portal for direct communication:-

Email Addresses: nonamehack2023@gmail.com, nonamehack2023@tutanota.com
TOX ID: F1D0F45DBC3F4CA784D5D0D0DD8ADCD31AB5645BE00293FE6302CD0381F6527AC647A61CB08D

Case 2: LOCKBIT BLOG

During the investigation, I came across a DLS (Data Leak Site) which claims to be LockBit. The logo and web style are the same as Lockbit3.0 which is found on the new site:-

lockbitblog.info

Screenshot captured from LockbitBlog

The only difference between the 2 sites is: that LockBit Blog had listed 2 more victims in the first row (which were again put up by real LockBit back in September).

It is also a notable fact that most of the listed victim leaks are from Canada.

TRACING ROOTS…

While performing a registry check on LockBit Blog, it is found that the site is registered with NAMECHEAP on 4th November 2023.

By inspecting the Domain Certificate details, it is found that this website is short-lived and the certificate would expired by February 2024 (3 Months).

Certificate Details of Domain

NOTE:

While doing a Sub-Domain Lookup, another Domain came to my attention which is related to NONAME on surface web:-

nonameblog.info

Screenshot of NONAME

As expected, by tracing the Registry details of this DLS, it is found that the domain also got registered on the same day as of LockBit Blog with the same registrar NAMECHEAP.

This site is left as an Index, unlike a DLS Listing. In the above image, the listed files’ timestamps can be traced to the Domain Registry Date.

Hence, from this evidence; it can be concluded that both NONAME and LOCKBIT BLOG are operated by the same threat actors who started their operations in November 2024.

Upon analysis, it is found that all the subdomains are the same for both NONAME and LOCKBITBLOG (Included in the IOC Section).

Here are the server specifications of the Dark Web & Surface Web Domains of this Impersonator:-

lockbitblog.info
Hosted with LiteSpeed Web Server

noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion
WordPress site Hosted with nginx

nonameblog.info: 4th November 2023
lockbitblog.info: 4th November 2023

It can be assumed that the threat actor is using a Russian Mail (Mail.ru) service as a backup for nonamehack2023@gmail.com.

POSSIBILITIES

As per the current situation, we cannot rash to a conclusion.

Hence, it can be assumed that this group might be an affiliate of LockBit and holds the leak records of Lockbit3.0 which was listed on the official website of LockBit in July and September

OR

A group that regularly collects leaked databases and registered a new domain when LockBit deleted the leaked data from its official website.

However, there is a high confidence that the group is not LockBit as the MO is different from the legit LockBit Group. Previously, legitimate LockBit Group had operated surface domains by adopting TLDs such as .UZ, .AT, .TOP.

Some of the legitimate LockBit domains are:-

lockbit-decryptor.top
lockbitapt.uz
lockbitsupp.uz
decoding.at
bigblog.at

NOTE: Again, we cannot presume about the repetitive MO of a Threat Actor as the MO often changes over time, adding more attack vectors and adopting new methods to target victims.

IOC

Domains
=======
lockbitblog.info
nonameblog.info
noname2j6zkgnt7ftxsjju5tfd3s45s4i3egq5bqtl72kgum4ldc6qyd.onion
nonameblog.info.lockbitblog.info
cpcontacts.lockbitblog.info
webmail.lockbitblog.info  
www.lockbitblog.info  
mail.lockbitblog.info  
ftp.lockbitblog.info  
whm.lockbitblog.info  
cpcalendars.lockbitblog.info  
cpanel.lockbitblog.info  
autodiscover.lockbitblog.info 
webdisk.lockbitblog.info 
autoconfig.lockbitblog.info
autodiscover.nonameblog.info 
webdisk.nonameblog.info  
cpcalendars.nonameblog.info  
ftp.nonameblog.info  
www.nonameblog.info  
cpcontacts.nonameblog.info  
whm.nonameblog.info    
cpanel.nonameblog.info 
autoconfig.nonameblog.info 
webmail.nonameblog.info  
mail.nonameblog.info
6qubpgkb7vjd6upivya4ll2xvzkx6zdj5bfwfo7qqm4jd3cuv4nwg2id.onion
7tkffbh3qiumpfjfq77plcorjmfohmbj6nwq5je6herbpya6kmgoafid.onion

IP Address
==========
66.29.141.245

Follow me on Twitter/X for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely Individual Research and is not subjected to be used/published anywhere without the Author’s consent.