LockBit

The U.S. State Department has announced monetary rewards of up to $15 million for information that could lead to the identification of key leaders within the LockBit ransomware group and the arrest of any individual participating in the operation.

"Since January 2020, LockBit actors have executed over 2,000 attacks against victims in the United States, and around the world, causing costly disruptions to operations and the destruction or exfiltration of sensitive information," the State Department said.

"More than $144 million in ransom payments have been made to recover from LockBit ransomware events."

The development comes as a sweeping law enforcement operation led by the U.K. National Crime Agency (NCA) disrupted LockBit, a Russia-linked ransomware gang that has been active for more than four years, wreaking havoc on business and critical infrastructure entities around the world.

Ransomware-as-a-service (RaaS) operations like LockBit and others work by extorting companies by stealing their sensitive data and encrypting them, making it a lucrative business model for Russian e-crime groups that act with impunity by taking advantage of the fact that they are outside of the jurisdiction of Western law enforcement.

Cybersecurity

The core developers tend to tap into a network of affiliates who are recruited to carry out the attacks using LockBit's malicious software and infrastructure. The affiliates, in turn, are known to purchase access to targets of interest using initial access brokers (IABs).

"LockBit rose to be the most prolific ransomware group since Conti departed the scene in mid-2022," Chester Wisniewski, global field CTO at Sophos, said.

"The frequency of their attacks, combined with having no limits to what type of infrastructure they cripple has also made them the most destructive in recent years. Anything that disrupts their operations and sows distrust amongst their affiliates and suppliers is a huge win for law enforcement."

LockBit is also known to be the first ransomware group to announce a bug bounty program in 2022, offering rewards of up to $1 million for finding security issues in its website and locker software.

"LockBit's operation grew in scale by consistently delivering new product features, providing good customer support, and at times, marketing stunts that included paying people to tattoo themselves with the group's logo," Intel 471 said.

Image Source: X

"LockBit flipped the script, letting its affiliates collect the ransom and trusting them to pay it a portion. This made affiliates confident that they were not going to lose out on a payment, thus attracting more affiliates."

SecureWorks Counter Threat Unit (CTU), which is tracking the group under the name Gold Mystic, said it investigated 22 compromises featuring LockBit ransomware from July 2020 through January 2024, some of which relied solely on data theft to extort victims.

The cybersecurity company further pointed out that LockBit's practice of ceding control to its affiliates to handle ransom negotiation and payments allowed the syndicate to scale up and draw several affiliates over the years.

Cybersecurity

LockBit's takedown followed a months-long investigation that commenced in April 2022, leading to the arrest of three affiliates in Poland and Ukraine, the indictment in the U.S. of two other alleged members, as well as the seizure of 34 servers and 1,000 decryption keys that can help victims recover their data without making any payment.

These arrests include a 38-year-old man in Warsaw and a "father and son" duo from Ukraine. LockBit is estimated to have employed about 194 affiliates between January 31, 2022, and February 5, 2024, with the actors using a bespoke data exfiltration tool known as StealBit.

LockBit

"StealBit is an example of LockBit's attempt to offer a full 'one-stop shop' service to its affiliates," the NCA said, adding the executable is used to export the data through the affiliate's own infrastructure before StealBit's in a likely effort to evade detection.

That said, the fluid structure of these RaaS brands means that shutting them down may not decisively impact the criminal enterprise, allowing them to regroup and resurface under a different name. If the recent history of similar takedowns is any indication, it won't be long before they rebrand and continue from where they left off.

"Comprehensive degradation of LockBit's infrastructure will likely result in a short cessation in activity from LockBit operatives before they resume operations – either under the LockBit name or an alternative banner," ZeroFox said.

"Even if we don't always get a complete victory, like has happened with QakBot, imposing disruption, fueling their fear of getting caught and increasing the friction of operating their criminal syndicate is still a win," Wisniewski added. "We must continue to band together to raise their costs ever higher until we can put all of them where they belong – in jail."

LockBit Saga — Timeline of Events

  • February 20, 2024

    LockBit Busted - Authorities Seize Darknet Domains

    An international law enforcement operation, including 11 countries and Europol, successfully seized darknet domains linked to the ransomware group LockBit, which has extorted over $91 million since 2019. The operation, named Cronos, used a PHP security flaw to disrupt LockBit's websites, marking a significant blow to the group's activities.

  • February 21, 2024

    LockBit Hackers Arrested - Decryption Tool Released

    UK's NCA shuts down LockBit ransomware, arrests 2 in Poland/Ukraine, freezes 200+ crypto accounts, indicts 2 Russians in US. Seized LockBit's code, intelligence, dismantled 34 servers, retrieved 1k decryption keys. LockBit affected 2.5k victims globally, netted $120M. Decryption tool available for victims.

  • February 22, 2024

    $15 Million Bounty on LockBit Ransomware Leaders

    US State Dept offers $15M reward for info on LockBit ransomware leaders, involved in 2k+ global attacks since 2020, causing $144M in damages. Law enforcement disrupted LockBit, arresting affiliates and seizing assets. LockBit, known for ransomware-as-a-service, extensive affiliate network, and innovative tactics like a bug bounty program, remains a significant cyber threat despite setbacks.

  • February 25, 2024

    LockBit Ransomware Kingpin 'Engages' with Police

    The individual(s) behind the LockBit ransomware service, known as LockBitSupp, has reportedly engaged with law enforcement following a significant international crackdown on the ransomware-as-a-service operation named Operation Cronos.

  • February 26, 2024

    LockBit is Back - Calls for Attacks on US Government

    The LockBit ransomware group has re-emerged on the dark web with a new infrastructure shortly after law enforcement seized its servers. The group has listed 12 new victims on its data leak portal and discussed the seizure of its websites, attributing it to a potential exploitation of a PHP vulnerability.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.