LockBit's admin engaged authorities - law enforcement


LockBitSupp, the leader behind the notorious LockBit gang supposedly reached out to law enforcement agencies, authorities claim in the latest reveal amidst the dismantling saga of the cyber cartel.

"We know who he is. We know where he lives. We know how much he is worth. LockBitSupp has engaged with law enfrocement," reads a message on the former LockBit dark web blog, currently controlled by UK National Crime Agency (NCA), together with other authorities.

The message attempted to shed some light on the cybergang leader's whereabouts indicating the ringleader does not reside in the US. Somewhat unusually, authorities discussed what type of a car the cybercriminal drives, hinting he could hardly finds spare parts for it. This is likely a clue that LockBitSupp lives in Russia, which has been sanctioned by Western nations over the Kremlins invasion of Ukraine.

While the announcement does reveal that the gang's leader approached law enforcement agencies, his identity remains a mystery. However, if LockBitSupp chose to cooperate with the authorities, his identity might be protected for safety reasons. Alternatively, authorities might not know the actual identity of the gang's admin.

LockBitSupp identity
Announcement on the former LockBit dark web blog. Image by Cybernews.

Earlier today, the NCA said it obtained over 30,000 Bitcoin addresses from LockBit’s systems. Authorities estimate the gang and its affiliates obtained billions of dollars over its four-year existence. LockBit performed thousands of confirmed ransomware attacks over the gang‘s lifetime, with NCA believing that its impact can be measured “in the multi-billions of dollars globally.”

Operation Cronos, a months-long operation by multiple law agencies worldwide, allowed authorities to obtain a staggering 30,000 Bitcoin wallet addresses from LockBit’s systems.

On February 19th, authorities crippled LockBit’s operations by compromising the gang’s primary platform and other critical infrastructure. Thirty-four of the gang’s servers and over 200 cryptocurrency accounts linked to the criminal organization were seized, and arrests were made in Poland and Ukraine.

According to Ukrainian authorities, a father and son duo ran LockBit’s operation from Ternopil, a town in Western Ukraine.

Since authorities infiltrated LockBit’s systems and mapped its core activity, decryption keys will be distributed to LockBit’s victims to unlock the data that the criminals encrypted.

The LockBit group first appeared on the ransomware scene sometime in late 2019, according to industry insiders. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.

Even though the gang tried to maintain a fake image of 'ethical' criminals, its affiliates did not restrain from attacking public institutions. In early February, attackers breached Saint Anthony Hospital, a non-profit children's hospital. In January, LockBit claimed an attack against Saint Anthony Hospital in Chicago.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

The gang's key persona is a Russia-based individual under the moniker LockBitSupp. According to Jon DiMaggio, Chief Security Strategist at Analyst1, the individual or individuals behind the admin account fiercely compete in the ransomware world, conducting smear campaigns against rivals. DiMaggio believes LockBitSupp is closely related to other major ransomware operators in Russia, a hotspot for ransomware activity.

Cybercriminals can safely operate under Moscow's rule as Russia's law enforcement turns a blind eye to the export of cybercrime as long as ransomware gangs don't target local organizations. Most of the key ransomware operators explicitly forbid affiliates to target organizations in Russia and members of the Moscow-led Commonwealth of Independent States (CIS).