More LockBit affiliates arrested, $10M bounty for info on others


French authorities have issued several warrants against LockBit affiliates, continuing an unprecedented campaign to dismantle the largest ransomware cartel. Meanwhile, the US said it will offer $15 million for info on LockBit’s leadership.

The Paris Judicial Court issued three arrest warrants against three members of the LockBit crime gang, officials announced. Like other messages, it was broadcast via LockBit’s former dark web leak site, which the gang used to employ to showcase its latest victims.

According to the statement, a Polish money laundering actor linked to 30 ransom payments has been arrested. Meanwhile, an additional arrest warrant was issued against a Russian LockBit affiliate. Affiliates deploy LockBit malware on victim systems and later extort them for ransom.

ADVERTISEMENT

One more arrest warrant was issued against a Russian LockBit affiliate in November 2022. According to the authorities, the individual has been arrested. Due to the French legal framework, the identities of the people arrested were not revealed.

At the same time, the US Department of State announced reward offers of up to $15 million for information leading to the arrest of anyone participating in LockBit ransomware attacks or information leading to the identification and location of the gang’s key leadership.

Earlier this week, law enforcement agencies from ten countries announced the results of the months-long Operation Cronos. Authorities crippled LockBit’s operations by compromising the gang’s primary platform and other critical infrastructure.

34 of the gang’s servers were seized, over 200 cryptocurrency accounts linked to the criminal organization, and arrests were made in Poland and Ukraine. According to Ukrainian authorities, a father and son duo ran LockBit’s operation from Ternopil, a town in Western Ukraine.

Since authorities infiltrated LockBit’s systems and mapped its core activity, decryption keys, allowing unlock the data criminals encrypted, will be distributed to LockBit’s victims.

“The seizure of LockBit’s website sends a strong message to criminal groups and threat actors that law enforcement is intensifying efforts to dismantle ransomware groups, regardless of their perceived success or status,” Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ said.

Who is LockBit?

The LockBit group first appeared on the ransomware scene sometime in late 2019, according to industry insiders. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.

ADVERTISEMENT

Even though the gang tried to maintain a fake image of ‘ethical’ criminals, its affiliates did not restrain from attacking public institutions. In early February, attackers breached Saint Anthony Hospital, a non-profit children’s hospital. In January, LockBit claimed an attack against Saint Anthony Hospital in Chicago.

The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa. The gang’s notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said. The variant also happens to share similarities with two other Russian-linked ransomware, BlackMatter and ALPHV, the DOJ said.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

The gang’s key persona is a Russia-based individual under the moniker LockBitSupp. According to Jon DiMaggio, Chief Security Strategist at Analyst1, the individual or individuals behind the admin account fiercely compete in the ransomware world, conducting smear campaigns against rivals.

DiMaggio believes LockBitSupp is closely related to other major ransomware operators in Russia, a hotspot for ransomware activity. Cybercriminals can safely operate under Moscow’s rule as Russia’s law enforcement turns a blind eye to the export of cybercrime as long as ransomware gangs don’t target local organizations.

Most of the key ransomware operators explicitly forbid affiliates to target organizations in Russia and members of the Moscow-led Commonwealth of Independent States (CIS).