My Cousin Vinnie is one of my favorite movies and my favorite scene is when the always amazing Marisa Tomei is forced to testify in the trial and exclaims, “The defense is wrong!” and then goes on to prove the defense’s case.

Anyway, my point is that there have been a lot of headlines about the “resurgence of LockBit” in May after law enforcement action and I am here to remind the whole world: LockBitSupp is a Lying Bastard™ and Please Stop Listening to Him.

Is LockBit ransomware cooked? I can’t say, they have been down a number of times but always seem to come back, but May does not appear to be an example of that comeback.

Valéry Rieß-Marchive at LeMagIT has already taken a thorough look at the data and come to same conclusion. At least 68 of the “record number of victims” are simply old victims being re-posted. It also looks like some of the “new” victims aren’t real either.

Don’t get me wrong, even if LockBit posted 100 victims in May, that would be bad, but it is very different that 176 and it would be out of line compared to what we’ve seen in recent months with just 40 victims in March and April and even less than that to this point in June. I think of May as more of a “last gasp” from a slowly dying ransomware group — that’s not just wishful thinking on my part. LockBitSupp has become a pariah in the underground community and lost the trust of so many ransomware affiliates and partners that it will be hard for him to get back to where he once was.

Of bigger concern right now is the fact that so many of the newly formed ransomware groups are making use of the leaked LockBit code, so we are seeing a big increase in ransomware attacks using leaked LockBit code, but not related to the original LockBit.