FBI wants victims of the LockBit ransomware to come forward because it picked up over 7,000 LockBit decryption keys that could allow them to recover their encrypted data for no fee.

Those keys come as a result of a February global law enforcement operation across 11 countries to disrupt and seize infrastructure, as well as to impose sanctions on LockBit and its affiliates, said Bryan Vorndran, assistant director at the FBI Cyber Division, during his keynote address at the 2024 Boston Conference on Cyber Security. “We determined that LockBit and its affiliates were still holding data they told LockBit victims they had deleted—after receiving ransom payments.”

“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online.” Vorndran said. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.”

Moreover, the global action led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.

The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.

Schneider Bold

The NCA seized the Tor leak site and they now use it to publish updates on the law enforcement operation and provide support to the victims of the gang.

The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.

LockBit was set up by a Russian coder named Dimitri Khoroshev, Vorndran said in his talk.

“He maintains the image of a shadowy hacker, using online aliases like ‘Putinkrab,’ ‘Nerowolfe,’ and ‘LockBitsupp.’ But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities.

“Essentially, he licenses LockBit ransomware, allowing hundreds of affiliate criminal groups to run shakedowns.

“In exchange for the use of his software, he gets a 20% cut of whatever ransoms they collect from innocent people and companies around the world,” Vorndran said.

After the February raid, Vorndran said Khoroshev tried to get us to go easy on him by turning on his competitors, naming other ransomware-as-a-service operators.

“So, it really is like dealing with organized crime gangs, where the boss rolls over and asks for leniency,” Vorndran said.


Pin It on Pinterest

Share This