The FBI’s continued fight against Lockit has led the agency to obtain over 7,000 decryption keys for the ransomware, revealed the agency’s Cyber Assistant Director Bryan Vorndran while speaking at the 2024 Boston Conference on Cyber Security. The agency also contacts known victims to help them reclaim their data and encourages anyone who suspects they were a victim to come forward.
Lockbit has been a rather active ransomware-as-a-service (RaaS) organisation for a while now, developing increasingly more sophisticated tactics over time to bypass security measures and law enforcement agencies. This isn’t the first time law enforcement or private security companies have also retaliated against Lockbit. In August 2022, after suffering a DDoS attack, reportedly on behalf of digital security company Entrust, the Lockbit ransomware gang announced that it’ll be strengthening its defences against DDoS attacks and taking the operation to a triple extortion level.
However, Lockbit’s havoc streak seems to be over for good this time. In February 2024, an operation dubbed Operation Cronos by law enforcement agencies from 11 countries disrupted the Lockbit infrastructure. The operation also led to the arrest of two individuals associated with the cybercrime gang in Poland and Ukraine, and over 200 crypto wallets used by the group were seized.
The identity of LockBit’s admin, known as ‘LockBitSupp’ and ‘putinkrab’ has also been revealed. The admin turns out to be a Russian man named Dmitry Yuryevich Khoroshev and has had sanctions put on him, in addition to 26 charges from the FBI, which is continuing efforts to bring Khoroshev to justice in the US.
UK’s National Crime Agency went a little further and took control of Lockbit’s servers, compromising their entire network. This included control of LockBit’s central administrative environment used by its RaaS affiliates and the dark web Tor site used by the gang to leak data in case a victim didn’t pay the ransom required. The NCA has further modified the Tor website to publish updates on the operation and assist the ransomware victims.
While seized domains are nothing new in the war between law enforcement agencies and cybercriminals, with some even managing to take back control of their domains, what’s likely going to hurt LockBit the most is the fact that the NCA was able to obtain the source code of the LockBit platform and a ton of information on the group’s operations, affiliates, and supporters.
To make matters worse, NCA accessed data stolen from the victims. This suggests that the ransomware gang didn’t delete the victim’s data even after taking ransoms and claiming that the stolen data was deleted. NCA’s announcement also claims that the agency found a “bespoke data exfiltration tool” called Stealbit, which was used by the gang’s partners to steal victim data.
Overall, members of the Operation Cronos taskforce have taken down LockBit’s online infrastructure, which was spread across three countries, and 28 servers belonging to the group’s affiliates. Finally, the NCA also gained access to over 1,000 decryption keys and has made LockBit’s decryptor available for free on the website of the “No More Ransom” initiative. That said, despite best attempts from law enforcement, LockBit is still an active operation that has targeted tens of organisations since February.
In the News: Interpol and FBI bust scheme offering asylum to cyber criminals