Hope for LockBit Ransomware victims: FBI recovers 7,000 decryption keys


Following a successful operation against LockBit, exposing the ringleader and seizing its infrastructure, FBI Cyber Assistant Director Bryan Vorndran claims that many victims can expect to reclaim their data.

“From our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online,” Vorndran said at the 2024 Boston Conference on Cybersecurity.

“We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov,” he added.

ADVERTISEMENT

He also shared more details on the illicit activities of LockBit Ransomware, one of the largest cybercrime rings in the world. LockBit operates using a ransomware-as-a-service (RaaS) model.

Cybernews has already reported that the FBI had released the ringleader’s name and picture. LockBit was set up by a Russian coder named Dimitri Khoroshev.

“He maintains the image of a shadowy hacker, using online aliases like “Putinkrab,” “Nerowolfe,” and “LockBitsupp.” But, really, he is a criminal, more caught up in the bureaucracy of managing his company than in any covert activities. Essentially, he licenses LockBit ransomware, allowing hundreds of affiliate criminal groups to run shakedowns,” Vorndran said.

Khoroshev’s cut was 20% of whatever ransoms his affiliates collected. To help them succeed, he provided them with assistance through hosting and storage, estimated optimal ransom demands, and laundered cryptocurrency. He even offered discounts for high-volume customers.

The FBI Cyber Lead assesses that since September 2019, when it was unleashed, LockBit was used by “hundreds of unconnected affiliates” and has been responsible for over 1,800 attacks in the US and more than 2,400 attacks globally. These attacks have caused billions of dollars in damages to victims and made LockBit the most deployed ransomware variant.

“These LockBit scams run the way local thugs used to demand “protection money” from storefront businesses. LockBit affiliates steal your data, lock it down, and demand payment to return your access to it. Then, if you pay the ransom, they return your access to your data. But they also keep a copy, and sometimes they demand a second payment to stop them from releasing your personal or proprietary information online,” Vorndran said.

LockBitSup wanted

LockBit previously tried to make the impression that the FBI was after the wrong guy. However, Vorndran’s remarks suggest that Khoroshev communicated with the FBI.

ADVERTISEMENT

“Khoroshev then tried to get us to go easy on him by turning on his competitors, naming other ransomware-as-a-service operators. So, it really is like dealing with organized crime gangs, where the boss rolls over and asks for leniency. We will not go easy on him,” Vorndran assured.

“The FBI will undoubtedly continue our pursuit of bringing him to justice here in the US.”

If caught and arrested, Khoroshev faces a maximum penalty of 185 years in prison, as well as a maximum fine of $250,000 for each of the 26 counts. The Justice Department also unsealed charges against six co-conspirators for fraud, extortion, and other crimes.

In February, authorities crippled LockBit’s operations by compromising the gang’s primary platform and other critical infrastructure, thirty-four of the gang’s servers and over 200 cryptocurrency accounts linked to the criminal organization were seized. The UK National Crime Agency (NCA) obtained over 30,000 Bitcoin addresses from LockBit’s systems.

Almost all the criminals developing sophisticated malware to enable ransomware attacks are based in Russian-speaking countries and operate as organized crime syndicates, similar to traditional organized crime elements.